Hi, On Thu, Aug 19, 2021 at 7:09 PM Vinícius Ferrão via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
> Hello, > > I had to reinstall our IPA server since we had Filesystem corruption > beyond repair on it. > > After the reinstall (with ipa-replica-install) AD Trust does not seems to > be working anymore. > > I tried to delete the trust and them re add it but there's no effect. > Here's the outputs: > > [root@idm1 ~]# ipa-adtrust-install --add-agents > > The log file for this installation can be found in > /var/log/ipaserver-adtrust-install.log > > ============================================================================== > This program will setup components needed to establish trust to AD domains > for > the IPA Server. > > This includes: > * Configure Samba > * Add trust related objects to IPA LDAP server > > To accept the default shown in brackets, press the Enter key. > > Configuring cross-realm trusts for IPA server requires password for user > 'admin'. > This user is a regular system account used for IPA server administration. > > admin password: > > IPA generated smb.conf detected. > Overwrite smb.conf? [no]: yes > Do you want to enable support for trusted domains in Schema Compatibility > plugin? > This will allow clients older than SSSD 1.9 and non-Linux clients to work > with trusted users. > > Enable trusted domains support in slapi-nis? [no]: yes > > > The following operations may take some minutes to complete. > Please wait until the prompt is returned. > > Configuring CIFS > [1/24]: validate server hostname > [2/24]: stopping smbd > [3/24]: creating samba domain object > Samba domain object already exists > [4/24]: retrieve local idmap range > [5/24]: writing samba config file > [6/24]: creating samba config registry > [7/24]: adding cifs Kerberos principal > [8/24]: adding cifs and host Kerberos principals to the adtrust agents > group > [9/24]: check for cifs services defined on other replicas > [10/24]: adding cifs principal to S4U2Proxy targets > cifs principal already targeted, nothing to do. > [11/24]: adding admin(group) SIDs > Admin SID already set, nothing to do > Admin group SID already set, nothing to do > [12/24]: adding RID bases > RID bases already set, nothing to do > [13/24]: updating Kerberos config > 'dns_lookup_kdc' already set to 'true', nothing to do. > [14/24]: activating CLDAP plugin > CLDAP plugin already configured, nothing to do > [15/24]: activating sidgen task > Sidgen task plugin already configured, nothing to do > [16/24]: map BUILTIN\Guests to nobody group > [17/24]: configuring smbd to start on boot > [18/24]: enabling trusted domains support for older clients via Schema > Compatibility plugin > [19/24]: restarting Directory Server to take MS PAC and LDAP > plugins changes into account > [20/24]: adding fallback group > Fallback group already set, nothing to do > [21/24]: adding Default Trust View > Default Trust View already exists. > [22/24]: setting SELinux booleans > [23/24]: starting CIFS services > [24/24]: restarting smbd > Done configuring CIFS. > > > ============================================================================= > Setup complete > > You must make sure these network ports are open: > TCP Ports: > * 135: epmap > * 138: netbios-dgm > * 139: netbios-ssn > * 445: microsoft-ds > * 1024..1300: epmap listener range > * 3268: msft-gc > UDP Ports: > * 138: netbios-dgm > * 139: netbios-ssn > * 389: (C)LDAP > * 445: microsoft-ds > > See the ipa-adtrust-install(1) man page for more details > > > ============================================================================= > > > Doing the trust add since the last command didn't added it: > > [root@idm1 ~]# ipa trust-add win.versatushpc.com.br > Active Directory domain administrator: Administrator > Active Directory domain administrator's password: > --------------------------------------------------------------- > Added Active Directory trust for realm "win.versatushpc.com.br" > --------------------------------------------------------------- > Realm name: win.versatushpc.com.br > Domain NetBIOS name: VersatusHPC > Domain Security Identifier: S-1-5-21-3644117338-1171143469-618167831 > Trust direction: Trusting forest > Trust type: Active Directory domain > Trust status: Established and verified > > > Fetch domains return 0: > > [root@idm1 ~]# ipa trust-fetch-domains win.versatushpc.com.br > > ---------------------------------------------------------------------------------------- > List of trust domains successfully refreshed. Use trustdomain-find command > to list them. > > ---------------------------------------------------------------------------------------- > ---------------------------- > Number of entries returned 0 > ---------------------------- > > > But trustdomain-find is able to find the domain: > > [root@idm1 ~]# ipa trustdomain-find > Realm name: win.versatushpc.com.br > Domain name: win.versatushpc.com.br > Domain NetBIOS name: VersatusHPC > Domain Security Identifier: S-1-5-21-3644117338-1171143469-618167831 > Domain enabled: True > ---------------------------- > Number of entries returned 1 > ---------------------------- > > Healthcheck complains about those issues: > > [root@idm1 ~]# ipa-healthcheck --all --output-type human | grep -v SUCCESS > WARNING: > ipahealthcheck.ipa.trust.IPATrustCatalogCheck.S-1-5-21-3644117338-1171143469-618167831: > Look up of S-1-5-21-3644117338-1171143469-618167831 returned nothing > ERROR: ipahealthcheck.ipa.trust.IPATrustCatalogCheck.AD Global Catalog: > AD Global Catalog not found in /usr/sbin/sssctl 'domain-status' output: > Active servers: > IPA: idm1.nix.versatushpc.com.br > ERROR: ipahealthcheck.ipa.trust.IPATrustCatalogCheck.AD > Domain Controller: AD Domain Controller not found in > /usr/sbin/sssctl 'domain-status' output: Active servers: > IPA: idm1.nix.versatushpc.com.br > > Can you show the output of " ipa idrange-find" ? > > And finally we had an DNA Range issue, but I was able to solve it with > this guide: > https://rcritten.wordpress.com/2015/01/05/freeipa-and-no-dna-range/ > > [root@idm2 ~]# ipa-replica-manage dnarange-show > idm1.nix.versatushpc.com.br: 1278400006-1278499999 > idm2.nix.versatushpc.com.br: 1278400000-1278499999 > > The ranges are overlapping, this should be fixed. The range for idm2 should end before the beginning of idm1 range. flo Seems to be OK, I think... > > I'm running IPA on RHEL 8.4. > > If it's easier to just remove IPA and reinstall from scratch, that's OK. > This is a development system, the same goes for the Windows domain. > > Thank you all. > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure