Hi,

The ipa trust-add command expects a domain name, not a server name. Is
adtest1.ad.test.example.com a server or a domain?

You can check the DNS requirements in this doc:
https://docs.redhat.com/en/documentation/Red_Hat_Enterprise_Linux/9/html/installing_trust_between_idm_and_ad/configuring-dns-and-realm-settings-for-a-trust_installing-trust-between-idm-and-ad

HTH,
flo

On Mon, Jul 29, 2024 at 10:08 PM Rob Crittenden via FreeIPA-users <
[email protected]> wrote:

> If you don't have DNS configured then this is not a dnssec issue.
> Creating this file is a no-op without bind configured. Which is fine. It
> just means it isn't dnssec-related.
>
> rob
>
> Johnnie W Adams via FreeIPA-users wrote:
> > I'm on RHEL 9 and have no /etc/named.conf file. I have tried
> > creating one, both in /etc and in /etc/named, with the suggested dnssec
> > configuration, but that got me no further.
> >
> > On Fri, Jul 19, 2024 at 2:36 PM Rob Crittenden <[email protected]
> > <mailto:[email protected]>> wrote:
> >
> >     Johnnie W Adams wrote:
> >     > So I adjusted my command line to point at the entire forest and
> not a
> >     > single domain controller, and got both a trust and a much more
> >     > interesting error:
> >     >
> >     > ipa: INFO: Response: {
> >     >
> >     >     "error": {
> >     >
> >     >         "code": 906,
> >     >
> >     >         "data": {
> >     >
> >     >             "error": "Fetching domains from trusted forest failed.
> See
> >     > details in the error_log",
> >     >
> >     >             "server": "rhidm1.net.example.com
> >     <http://rhidm1.net.example.com>
> >     > <http://rhidm1.net.example.com>"
> >     >
> >     >         },
> >     >
> >     >         "message": "error on server 'rhidm1.net.example.com
> >     <http://rhidm1.net.example.com>
> >     > <http://rhidm1.net.example.com>': Fetching domains from trusted
> forest
> >     > failed. See details in the error_log",
> >     >
> >     >         "name": "ServerCommandError"
> >     >
> >     >     },
> >     >
> >     >     "id": 0,
> >     >
> >     >     "principal": "[email protected]
> >     <mailto:[email protected]> <mailto:[email protected]
> >     <mailto:[email protected]>>",
> >     >
> >     >     "result": null,
> >     >
> >     >     "version": "4.11.0"
> >     >
> >     > }
> >     >
> >     > ipa: ERROR: error on server 'rhidm1.net.example.com
> >     <http://rhidm1.net.example.com>
> >     > <http://rhidm1.net.example.com>': Fetching domains from trusted
> forest
> >     > failed. See details in the error_log
> >     >
> >     >
> >     > From the error_log:
> >     >
> >     >
> >     > [Fri Jul 19 12:31:51.363222 2024] [wsgi:error] [pid 522388:tid
> 522652]
> >     > [remote <ip address>:39124] ipa: ERROR: Helper fetch_domains was
> >     called
> >     > for forest ad.test.example.com <http://ad.test.example.com>
> >     <http://ad.test.example.com>, return code
> >     > is 1
> >     >
> >     > [Fri Jul 19 12:31:51.363750 2024] [wsgi:error] [pid 522388:tid
> 522652]
> >     > [remote <ip address>:39124] ipa: ERROR: Standard output from the
> >     helper:
> >     >
> >     >
> >     > <snip>
> >     >
> >     >
> >     > [Fri Jul 19 12:31:51.364596 2024] [wsgi:error] [pid 522388:tid
> 522652]
> >     > [remote <ip address>:39124] ipa: ERROR: environment:
> environ({'LANG':
> >     > 'en_US.UTF-8', 'PATH':
> >     > '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin', 'PIDFILE':
> >     > '/run/oddjobd.pid', 'INVOCATION_ID':
> >     '002ac795667b4ab983ffa100b2f47dd8',
> >     > 'JOURNAL_STREAM': '8:36642766', 'SYSTEMD_EXEC_PID': '487987',
> >     'LC_ALL':
> >     > 'C.UTF-8', 'ODDJOB_SERVICE_NAME': 'com.redhat.idm.trust',
> >     > 'ODDJOB_OBJECT_PATH': '/', 'ODDJOB_INTERFACE_NAME':
> >     > 'com.redhat.idm.trust', 'ODDJOB_METHOD_NAME': 'fetch_domains',
> >     > 'ODDJOB_CALLING_USER': 'ipaapi', 'KRB5_CONFIG': '/etc/krb5.conf',
> >     > 'KRB5CCNAME': '/run/ipa/krb5cc_oddjob_trusts_fetch'})
> >     >
> >     >
> >     > What am I looking at? What am I missing?
> >     >
> >
> >     Is DNSSEC enabled? See https://access.redhat.com/solutions/2263991
> >
> >     rob
> >
> >
> >
> > --
> > John Adams
> > Senior Linux/Middleware Administrator  | Information Technology Services
> > +1-501-916-3010 | [email protected] <mailto:[email protected]> |
> > http://ualr.edu/itservices
> > *UA Little Rock*
> > *
> > *
> >
> > Reminder:  IT Services will never ask for your password over the phone
> > or in an email. Always be suspicious of requests for personal
> > information that come via email, even from known contacts.  For more
> > information or to report suspicious email, visit IT Security
> > <http://ualr.edu/itservices/security/>.**
> >
> >
>
> --
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
-- 
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to