-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/15/2013 09:52 AM, Sumit Bose wrote: > On Fri, Mar 15, 2013 at 09:38:04AM +0000, Dale Macartney wrote: >> > Morning all > > I have setup the domain trust set up and have errors when trying to map > groups from AD to IPA > > Environment is IPA 3.0 on RHEL 6.4 and Windows 2012 > > When adding groups, I get the following. > > [root@ds01 ~]# ipa group-add --desc='Active Directory Domain Admins > external map' domain_admins_map --external > [root@ds01 ~]# ipa group-add-member domain_admins_map --external > 'NT\Domain Admins' > [member user]: > [member group]: > ipa: ERROR: cannot connect to > u'https://ds01.example.com/ipa/session/xml': Internal Server Error > [root@ds01 ~]# > > When the above error occurs I see the following in /var/log/httpd/error_log > > ==> /var/log/httpd/error_log <== > [Fri Mar 15 09:35:15 2013] [error] ipa: ERROR: release_ipa_ccache: > ccache_name (FILE:/var/run/ipa_memcached/krbcc_5374) != KRB5CCNAME > environment variable (/var/run/ipa_memcached/krbcc_TDN) > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] mod_wsgi > (pid=5374): Exception occurred processing WSGI script > '/usr/share/ipa/wsgi.py'. > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] Traceback (most > recent call last): > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File > "/usr/share/ipa/wsgi.py", line 49, in application > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return > api.Backend.wsgi_dispatch(environ, start_response) > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File > "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 248, in > __call__ > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return > self.route(environ, start_response) > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File > "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 260, in > route > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return > app(environ, start_response) > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File > "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 1193, in > __call__ > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] response = > super(xmlserver_session, self).__call__(environ, start_response) > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File > "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 709, in > __call__ > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] response = > super(xmlserver, self).__call__(environ, start_response) > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File > "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 375, in > __call__ > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] response = > self.wsgi_execute(environ) > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File > "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 334, in > wsgi_execute > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] result = > self.Command[name](*args, **options) > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File > "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 435, in __call__ > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] ret = > self.run(*args, **options) > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File > "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 747, in run > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return > self.execute(*args, **options) > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File > "/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py", line > 1590, in execute > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] **options) > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File > "/usr/lib/python2.6/site-packages/ipalib/plugins/group.py", line 387, in > post_callback > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] actual_sid = > domain_validator.get_sid_trusted_domain_object(sid) > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File > "/usr/lib/python2.6/site-packages/ipaserver/dcerpc.py", line 212, in > get_sid_trusted_domain_object > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] entry = > self.resolve_against_gc(domain, components['name']) > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File > "/usr/lib/python2.6/site-packages/ipaserver/dcerpc.py", line 285, in > resolve_against_gc > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] entry = > self.__resolve_against_gc(info, host, port, name) > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File > "/usr/lib/python2.6/site-packages/ipaserver/dcerpc.py", line 315, in > __resolve_against_gc > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] > conn.sasl_interactive_bind_s(None, sasl_auth) > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File > "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", line 566, > in sasl_interactive_bind_s > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return > self.conn.sasl_interactive_bind_s(who, auth, serverctrls, clientctrls, > sasl_flags) > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File > "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 227, in > sasl_interactive_bind_s > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return > self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,EncodeControlTuples(serverctrls),EncodeControlTuples(clientctrls),sasl_flags) > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File > "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 96, in > _ldap_call > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] result = > func(*args,**kwargs) > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] LOCAL_ERROR: > {'info': 'SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Server > ldap/dc01.nt.example....@example.com not found in Kerberos database)', > 'desc': 'Local error'} > > > Lokks like your AD domain is DNS-wise a subdomain of the FreeIPA domain > > example.dom. Please try to add something like > > > .nt.example.com = NT.EXAMPLE.COM > > nt.example.com = NT.EXAMPLE.COM > > > to the [domain_realm] section in /etc/krb5.conf. SSSD should have > > created an include file with this information, but due to some errors it > > is not read in the 6.4 version. > > > HTH > > > bye, > > Sumit No joy unfortunately mate. I tried adding it to both the ipa server and the member server but still no change. logs are still appearing as before. Dale > > > > Just to clarify, iptables has been flushed and selinux is currently > permissive. Running latest patches from RHN as of 2013/03/14 > > Any thoughts? > > Dale > >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJRQvILAAoJEAJsWS61tB+qkZgQAIOWUoevw/7/d7OzxMxspo7N H3AvY8bioqLaourqW0sc9IpOiEIC8iG1a8mun6CfmMiJChAEs+ENxXjfFpei6RU8 PnV0ixDMMVvuOwK3sNTjOvi/RHYQwfvhxgoAGFHOddOEBEnUjqdTRWC1ptAEVwHs ZoVovFUe62PsURkgJshq+I5StaZpCD2jeP2Ic3MsYsQ+JNp1MPnwZBRpBD6msfhg Eu+CN/L8UItt6yF74I/U1GtI14CIgpDgj8mE4OA4rJtGu3jS0OwJ9nDNAb8+vIBY 5rU/WF5ShgdYpH4koCk/DadASqBT7Bc1S/oG+Lue4rBjFyMCZJUDWKxWSk4WWtG9 hwYWV5x3mM7DI/oamZAY2sJ0xQJFebrkwYFao1N9MukCUKoS0TiyGEpMlSjpF1Ye TeIw/yAfi8hevISh2gXIc3Vn8jBtWLrBZWuB8ZU2kIwwV3xbtB452SuUrJbvYDF8 pJynhp8l1Oqg/9ke1k8khzRCJt3FlPG5Sw/oAiT/xcQourQL7ynorjk03Z+1Xunf 8GI5pCcJF2Vto0RnXHSRwk4qhVpJFDVIQRWC9d0y6a2C2eIJcr5/39foyLkiXE86 lp0I/V5+S1XKJbe5BXhS8Z89qEOmN2CYf085fQhLv9fAjceKM5JvvzwCDrGGNIqu zOAW523l0OVpP6kG8kJQ =317e -----END PGP SIGNATURE-----
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users