Hi, The ipa trust-add command expects a domain name, not a server name. Is adtest1.ad.test.example.com a server or a domain?
You can check the DNS requirements in this doc: https://docs.redhat.com/en/documentation/Red_Hat_Enterprise_Linux/9/html/installing_trust_between_idm_and_ad/configuring-dns-and-realm-settings-for-a-trust_installing-trust-between-idm-and-ad HTH, flo On Mon, Jul 29, 2024 at 10:08 PM Rob Crittenden via FreeIPA-users < [email protected]> wrote: > If you don't have DNS configured then this is not a dnssec issue. > Creating this file is a no-op without bind configured. Which is fine. It > just means it isn't dnssec-related. > > rob > > Johnnie W Adams via FreeIPA-users wrote: > > I'm on RHEL 9 and have no /etc/named.conf file. I have tried > > creating one, both in /etc and in /etc/named, with the suggested dnssec > > configuration, but that got me no further. > > > > On Fri, Jul 19, 2024 at 2:36 PM Rob Crittenden <[email protected] > > <mailto:[email protected]>> wrote: > > > > Johnnie W Adams wrote: > > > So I adjusted my command line to point at the entire forest and > not a > > > single domain controller, and got both a trust and a much more > > > interesting error: > > > > > > ipa: INFO: Response: { > > > > > > "error": { > > > > > > "code": 906, > > > > > > "data": { > > > > > > "error": "Fetching domains from trusted forest failed. > See > > > details in the error_log", > > > > > > "server": "rhidm1.net.example.com > > <http://rhidm1.net.example.com> > > > <http://rhidm1.net.example.com>" > > > > > > }, > > > > > > "message": "error on server 'rhidm1.net.example.com > > <http://rhidm1.net.example.com> > > > <http://rhidm1.net.example.com>': Fetching domains from trusted > forest > > > failed. See details in the error_log", > > > > > > "name": "ServerCommandError" > > > > > > }, > > > > > > "id": 0, > > > > > > "principal": "[email protected] > > <mailto:[email protected]> <mailto:[email protected] > > <mailto:[email protected]>>", > > > > > > "result": null, > > > > > > "version": "4.11.0" > > > > > > } > > > > > > ipa: ERROR: error on server 'rhidm1.net.example.com > > <http://rhidm1.net.example.com> > > > <http://rhidm1.net.example.com>': Fetching domains from trusted > forest > > > failed. See details in the error_log > > > > > > > > > From the error_log: > > > > > > > > > [Fri Jul 19 12:31:51.363222 2024] [wsgi:error] [pid 522388:tid > 522652] > > > [remote <ip address>:39124] ipa: ERROR: Helper fetch_domains was > > called > > > for forest ad.test.example.com <http://ad.test.example.com> > > <http://ad.test.example.com>, return code > > > is 1 > > > > > > [Fri Jul 19 12:31:51.363750 2024] [wsgi:error] [pid 522388:tid > 522652] > > > [remote <ip address>:39124] ipa: ERROR: Standard output from the > > helper: > > > > > > > > > <snip> > > > > > > > > > [Fri Jul 19 12:31:51.364596 2024] [wsgi:error] [pid 522388:tid > 522652] > > > [remote <ip address>:39124] ipa: ERROR: environment: > environ({'LANG': > > > 'en_US.UTF-8', 'PATH': > > > '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin', 'PIDFILE': > > > '/run/oddjobd.pid', 'INVOCATION_ID': > > '002ac795667b4ab983ffa100b2f47dd8', > > > 'JOURNAL_STREAM': '8:36642766', 'SYSTEMD_EXEC_PID': '487987', > > 'LC_ALL': > > > 'C.UTF-8', 'ODDJOB_SERVICE_NAME': 'com.redhat.idm.trust', > > > 'ODDJOB_OBJECT_PATH': '/', 'ODDJOB_INTERFACE_NAME': > > > 'com.redhat.idm.trust', 'ODDJOB_METHOD_NAME': 'fetch_domains', > > > 'ODDJOB_CALLING_USER': 'ipaapi', 'KRB5_CONFIG': '/etc/krb5.conf', > > > 'KRB5CCNAME': '/run/ipa/krb5cc_oddjob_trusts_fetch'}) > > > > > > > > > What am I looking at? What am I missing? > > > > > > > Is DNSSEC enabled? See https://access.redhat.com/solutions/2263991 > > > > rob > > > > > > > > -- > > John Adams > > Senior Linux/Middleware Administrator | Information Technology Services > > +1-501-916-3010 | [email protected] <mailto:[email protected]> | > > http://ualr.edu/itservices > > *UA Little Rock* > > * > > * > > > > Reminder: IT Services will never ask for your password over the phone > > or in an email. Always be suspicious of requests for personal > > information that come via email, even from known contacts. For more > > information or to report suspicious email, visit IT Security > > <http://ualr.edu/itservices/security/>.** > > > > > > -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
