Hi, folks,
So I have established a trust according to both IdM and AD, but I'm
getting this when I try the validation step from the documentation:
smbclient -L rhidm1.net.example.com -U <username> --use-kerberos=required
lpcfg_do_global_parameter: WARNING: The "domain logons" option is deprecated
Password for [NET\username]:
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba 4.19.4)
SMB1 disabled -- no workgroup available
The samba service is up and running.
Thanks,
John A
On Wed, Jul 31, 2024 at 5:19 AM Florence Blanc-Renaud <[email protected]>
wrote:
> Hi,
>
> The ipa trust-add command expects a domain name, not a server name. Is
> adtest1.ad.test.example.com a server or a domain?
>
> You can check the DNS requirements in this doc:
> https://docs.redhat.com/en/documentation/Red_Hat_Enterprise_Linux/9/html/installing_trust_between_idm_and_ad/configuring-dns-and-realm-settings-for-a-trust_installing-trust-between-idm-and-ad
>
> HTH,
> flo
>
> On Mon, Jul 29, 2024 at 10:08 PM Rob Crittenden via FreeIPA-users <
> [email protected]> wrote:
>
>> If you don't have DNS configured then this is not a dnssec issue.
>> Creating this file is a no-op without bind configured. Which is fine. It
>> just means it isn't dnssec-related.
>>
>> rob
>>
>> Johnnie W Adams via FreeIPA-users wrote:
>> > I'm on RHEL 9 and have no /etc/named.conf file. I have tried
>> > creating one, both in /etc and in /etc/named, with the suggested dnssec
>> > configuration, but that got me no further.
>> >
>> > On Fri, Jul 19, 2024 at 2:36 PM Rob Crittenden <[email protected]
>> > <mailto:[email protected]>> wrote:
>> >
>> > Johnnie W Adams wrote:
>> > > So I adjusted my command line to point at the entire forest and
>> not a
>> > > single domain controller, and got both a trust and a much more
>> > > interesting error:
>> > >
>> > > ipa: INFO: Response: {
>> > >
>> > > "error": {
>> > >
>> > > "code": 906,
>> > >
>> > > "data": {
>> > >
>> > > "error": "Fetching domains from trusted forest
>> failed. See
>> > > details in the error_log",
>> > >
>> > > "server": "rhidm1.net.example.com
>> > <http://rhidm1.net.example.com>
>> > > <http://rhidm1.net.example.com>"
>> > >
>> > > },
>> > >
>> > > "message": "error on server 'rhidm1.net.example.com
>> > <http://rhidm1.net.example.com>
>> > > <http://rhidm1.net.example.com>': Fetching domains from trusted
>> forest
>> > > failed. See details in the error_log",
>> > >
>> > > "name": "ServerCommandError"
>> > >
>> > > },
>> > >
>> > > "id": 0,
>> > >
>> > > "principal": "[email protected]
>> > <mailto:[email protected]> <mailto:[email protected]
>> > <mailto:[email protected]>>",
>> > >
>> > > "result": null,
>> > >
>> > > "version": "4.11.0"
>> > >
>> > > }
>> > >
>> > > ipa: ERROR: error on server 'rhidm1.net.example.com
>> > <http://rhidm1.net.example.com>
>> > > <http://rhidm1.net.example.com>': Fetching domains from trusted
>> forest
>> > > failed. See details in the error_log
>> > >
>> > >
>> > > From the error_log:
>> > >
>> > >
>> > > [Fri Jul 19 12:31:51.363222 2024] [wsgi:error] [pid 522388:tid
>> 522652]
>> > > [remote <ip address>:39124] ipa: ERROR: Helper fetch_domains was
>> > called
>> > > for forest ad.test.example.com <http://ad.test.example.com>
>> > <http://ad.test.example.com>, return code
>> > > is 1
>> > >
>> > > [Fri Jul 19 12:31:51.363750 2024] [wsgi:error] [pid 522388:tid
>> 522652]
>> > > [remote <ip address>:39124] ipa: ERROR: Standard output from the
>> > helper:
>> > >
>> > >
>> > > <snip>
>> > >
>> > >
>> > > [Fri Jul 19 12:31:51.364596 2024] [wsgi:error] [pid 522388:tid
>> 522652]
>> > > [remote <ip address>:39124] ipa: ERROR: environment:
>> environ({'LANG':
>> > > 'en_US.UTF-8', 'PATH':
>> > > '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin', 'PIDFILE':
>> > > '/run/oddjobd.pid', 'INVOCATION_ID':
>> > '002ac795667b4ab983ffa100b2f47dd8',
>> > > 'JOURNAL_STREAM': '8:36642766', 'SYSTEMD_EXEC_PID': '487987',
>> > 'LC_ALL':
>> > > 'C.UTF-8', 'ODDJOB_SERVICE_NAME': 'com.redhat.idm.trust',
>> > > 'ODDJOB_OBJECT_PATH': '/', 'ODDJOB_INTERFACE_NAME':
>> > > 'com.redhat.idm.trust', 'ODDJOB_METHOD_NAME': 'fetch_domains',
>> > > 'ODDJOB_CALLING_USER': 'ipaapi', 'KRB5_CONFIG': '/etc/krb5.conf',
>> > > 'KRB5CCNAME': '/run/ipa/krb5cc_oddjob_trusts_fetch'})
>> > >
>> > >
>> > > What am I looking at? What am I missing?
>> > >
>> >
>> > Is DNSSEC enabled? See https://access.redhat.com/solutions/2263991
>> >
>> > rob
>> >
>> >
>> >
>> > --
>> > John Adams
>> > Senior Linux/Middleware Administrator | Information Technology Services
>> > +1-501-916-3010 | [email protected] <mailto:[email protected]> |
>> > http://ualr.edu/itservices
>> > *UA Little Rock*
>> > *
>> > *
>> >
>> > Reminder: IT Services will never ask for your password over the phone
>> > or in an email. Always be suspicious of requests for personal
>> > information that come via email, even from known contacts. For more
>> > information or to report suspicious email, visit IT Security
>> > <http://ualr.edu/itservices/security/>.**
>> >
>> >
>>
>> --
>> _______________________________________________
>> FreeIPA-users mailing list -- [email protected]
>> To unsubscribe send an email to
>> [email protected]
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedorahosted.org/archives/list/[email protected]
>> Do not reply to spam, report it:
>> https://pagure.io/fedora-infrastructure/new_issue
>>
>
--
John Adams
Senior Linux/Middleware Administrator | Information Technology Services
+1-501-916-3010 | [email protected] | http://ualr.edu/itservices
*UA Little Rock*
Reminder: IT Services will never ask for your password over the phone or
in an email. Always be suspicious of requests for personal information that
come via email, even from known contacts. For more information or to
report suspicious email, visit IT Security
<http://ualr.edu/itservices/security/>.
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
