Hi

Let me start from the beginning once again. Let me explain you what steps I
followed during the setup.

I am setting up the environment in Amazon AWS, both Windows AD server and
Linux IPA configured in EC2.
For configuring Windows 2008 I selected
Windows_Server-2008-R2_SP1-English-64Bit-Base-2014.04.09 (ami-df8e93b6)
and for configuring IPA server I selected CentOS 6.5 (x86_64) - Release
Media (ami-8997afe0).

I followed the steps from
http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup and also kept the
domain names
similar as in the example.

IPA server hostname: ipaserver
IPA domain:          ipadomain.example.com
IPA NetBIOS:         IPADOMAIN

AD DC hostname:      adserver
AD domain:           addomain.example.com
AD NetBIOS:          ADDOMAIN


1. Updated the system and install the packages.

# yum update -y
# yum install -y "*ipa-server" "*ipa-server-trust-ad"
samba4-winbind-clients samba4-winbind samba4-client bind bind-dyndb-ldap

List of important packages installed during the update are as follows.

 bind                    x86_64  32:9.8.2-0.23.rc1.el6_5.1
 bind-dyndb-ldap         x86_64  2.3-5.el6

 ipa-server              x86_64  3.0.0-37.el6
 ipa-server-trust-ad     x86_64  3.0.0-37.el6
 ipa-admintools          x86_64  3.0.0-37.el6
 ipa-client              x86_64  3.0.0-37.el6
 ipa-pki-ca-theme        noarch  9.0.3-7.el6
 ipa-pki-common-theme    noarch  9.0.3-7.el6
 ipa-python              x86_64  3.0.0-37.el6
 ipa-server-selinux      x86_64  3.0.0-37.el6

 samba4-client           x86_64  4.0.0-61.el6_5.rc4
 samba4-winbind          x86_64  4.0.0-61.el6_5.rc4
 samba4-winbind-clients  x86_64  4.0.0-61.el6_5.rc4
 samba4                  x86_64  4.0.0-61.el6_5.rc4
 samba4-common           x86_64  4.0.0-61.el6_5.rc4
 samba4-libs             x86_64  4.0.0-61.el6_5.rc4
 samba4-python           x86_64  4.0.0-61.el6_5.rc4

 389-ds-base             x86_64  1.2.11.15-32.el6_5
 389-ds-base-libs        x86_64  1.2.11.15-32.el6_5

 certmonger              x86_64  0.61-3.el6

 krb5-server             x86_64  1.10.3-15.el6_5.1
 krb5-workstation        x86_64  1.10.3-15.el6_5.1

 sssd                    x86_64  1.9.2-129.el6_5.4
 sssd-client             x86_64  1.9.2-129.el6_5.4



2. System details

[root@ipaserver ~]# hostname
ipaserver.ipadomain.example.com

[root@ipaserver ~]# cat /etc/issue
CentOS release 6.5 (Final)
Kernel \r on an \m

[root@ipaserver ~]# uname -a
Linux ipaserver.ipadomain.example.com 2.6.32-431.17.1.el6.x86_64 #1 SMP Wed
May 7 23:32:49 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

[root@ipaserver ~]# cat /etc/hosts
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
10.21.0.121 ipaserver.ipadomain.example.com ipaserver


3. Install IPA server

[root@ipaserver ~]# ipa-server-install --domain=ipadomain.example.com--realm=
IPADOMAIN.EXAMPLE.COM --setup-dns --no-forwarders

The IPA Master Server will be configured with:
Hostname:      ipaserver.ipadomain.example.com
IP address:    10.21.0.121
Domain name:   ipadomain.example.com
Realm name:    IPADOMAIN.EXAMPLE.COM

BIND DNS server will be configured to serve IPA domain with:
Forwarders:    No forwarders
Reverse zone:  0.21.10.in-addr.arpa.

...
...

The install was successful and no errors during the installation.

4. Login as admin and verify IPA users are available to the system service

[root@ipaserver ~]# kinit admin
Password for ad...@ipadomain.example.com:

[root@ipaserver ~]# id admin
uid=189600000(admin) gid=189600000(admins) groups=189600000(admins)

[root@ipaserver ~]# getent passwd admin
admin:*:189600000:189600000:Administrator:/home/admin:/bin/bash

5. Configure IPA server for cross-realm trust.

[root@ipaserver ~]# ipa-adtrust-install --netbios-name=IPADOMAIN

The log file for this installation can be found in
/var/log/ipaserver-install.log
==============================================================================
This program will setup components needed to establish trust to AD domains
for
the FreeIPA Server.

This includes:
  * Configure Samba
  * Add trust related objects to FreeIPA LDAP server

...
...

All completed successfully.

6. I disabled the firewalls and also during the boot up.

[root@ipaserver ~]# chkconfig --list iptables
iptables       0:off 1:off 2:off 3:off 4:off 5:off 6:off

7. DNS configuration

On windows:

C:\Windows\system32>dnscmd 127.0.0.1 /ZoneAdd
ipadomain.example.com/Forwarder 10.21.0.121
DNS Server 127.0.0.1 created zone ipadomain.example.com:

Command completed successfully.

On Linux:

[root@ipaserver ~]# ipa dnszone-add addomain.example.com --name-server=
adserver.addomain.example.com --admin-email='hostmas...@addomain.example.com'
--force --forwarder=10.21.0.231 --forward-policy=only
--ip-address=10.21.0.231
  Zone name: addomain.example.com
  Authoritative nameserver: adserver.addomain.example.com
  Administrator e-mail address: hostmaster.addomain.example.com.
  SOA serial: 1400486308
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant IPADOMAIN.EXAMPLE.COM krb5-self * A; grant
IPADOMAIN.EXAMPLE.COM krb5-self * AAAA; grant
IPADOMAIN.EXAMPLE.COMkrb5-self * SSHFP;
  Active zone: TRUE
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;
  Zone forwarders: 10.21.0.231
  Forward policy: only


Verify DNS configuration:

In Windows AD:-

C:\Windows\system32>nslookup
Default Server:  localhost
Address:  127.0.0.1

> set type=SRV
> _ldap._tcp.addomain.example.com
Server:  localhost
Address:  127.0.0.1

_ldap._tcp.addomain.example.com SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = adserver.addomain.example.com
adserver.addomain.example.com   internet address = 10.21.0.231
> _ldap._tcp.ipadomain.example.com
Server:  localhost
Address:  127.0.0.1

Non-authoritative answer:
_ldap._tcp.ipadomain.example.com        SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = ipaserver.ipadomain.example.com

ipaserver.ipadomain.example.com internet address = 10.21.0.121
> quit

In Linux IPA:-

[root@ipaserver ~]# dig SRV _ldap._tcp.addomain.example.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> SRV _ldap._
tcp.addomain.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40705
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;_ldap._tcp.addomain.example.com. IN SRV

;; ANSWER SECTION:
_ldap._tcp.addomain.example.com. 588 IN SRV 0 100 389
adserver.addomain.example.com.

;; ADDITIONAL SECTION:
adserver.addomain.example.com. 3588 IN A 10.21.0.231

;; Query time: 0 msec
;; SERVER: 10.21.0.121#53(10.21.0.121)
;; WHEN: Mon May 19 08:02:20 2014
;; MSG SIZE  rcvd: 114


[root@ipaserver ~]# dig SRV _ldap._tcp.ipadomain.example.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> SRV _ldap._
tcp.ipadomain.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63334
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;_ldap._tcp.ipadomain.example.com. IN SRV

;; ANSWER SECTION:
_ldap._tcp.ipadomain.example.com. 86400 IN SRV 0 100 389
ipaserver.ipadomain.example.com.

;; AUTHORITY SECTION:
ipadomain.example.com. 86400 IN NS ipaserver.ipadomain.example.com.

;; ADDITIONAL SECTION:
ipaserver.ipadomain.example.com. 1200 IN A 10.21.0.121

;; Query time: 1 msec
;; SERVER: 10.21.0.121#53(10.21.0.121)
;; WHEN: Mon May 19 08:02:44 2014
;; MSG SIZE  rcvd: 131


8. Add trust with AD domain

[root@ipaserver ~]# ipa trust-add --type=ad addomain.example.com --admin
Administrator --password
Active directory domain administrator's password:
-------------------------------------------------------------
Added Active Directory trust for realm "addomain.example.com"
-------------------------------------------------------------
  Realm name: addomain.example.com
  Domain NetBIOS name: ADDOMAIN
  Domain Security Identifier: S-1-5-21-2212595442-2951398754-4232868618
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified

9. Updated kerberos configuration.

[root@ipaserver ~]# cat /etc/krb5.conf
includedir /var/lib/sss/pubconf/krb5.include.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = IPADOMAIN.EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = true
 rdns = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 IPADOMAIN.EXAMPLE.COM = {
  kdc = ipaserver.ipadomain.example.com:88
  master_kdc = ipaserver.ipadomain.example.com:88
  admin_server = ipaserver.ipadomain.example.com:749
  default_domain = ipadomain.example.com
  pkinit_anchors = FILE:/etc/ipa/ca.crt
  auth_to_local = RULE:[1:$1@$0](^.*@ADDOMAIN.EXAMPLE.COM$)s/@
ADDOMAIN.EXAMPLE.COM/@addomain.example.com/
  auth_to_local = DEFAULT
}

[domain_realm]
 .ipadomain.example.com = IPADOMAIN.EXAMPLE.COM
 ipadomain.example.com = IPADOMAIN.EXAMPLE.COM

[dbmodules]
  IPADOMAIN.EXAMPLE.COM = {
    db_library = ipadb.so
  }


10. Allow AD users to access resources in IPA domain

[root@ipaserver ~]# ipa group-add --desc='addomain.example.com admins
external map' ad_admins_external --external
--------------------------------
Added group "ad_admins_external"
--------------------------------
  Group name: ad_admins_external
  Description: addomain.example.com admins external map
[root@ipaserver ~]# ipa group-add --desc='addomain.example.com admins'
ad_admins
-----------------------
Added group "ad_admins"
-----------------------
  Group name: ad_admins
  Description: addomain.example.com admins
  GID: 189600004
[root@ipaserver ~]# ipa group-add-member ad_admins_external --external
'ADDOMAIN\Domain Admins'
[member user]:
[member group]:
  Group name: ad_admins_external
  Description: addomain.example.com admins external map
  External member: S-1-5-21-2212595442-2951398754-4232868618-512
-------------------------
Number of members added 1
-------------------------
[root@ipaserver ~]# ipa group-add-member ad_admins --groups
ad_admins_external
  Group name: ad_admins
  Description: addomain.example.com admins
  GID: 189600004
  Member groups: ad_admins_external
-------------------------
Number of members added 1
-------------------------


11. Verifying trust

[root@ipaserver ~]# wbinfo -n 'ADDOMAIN\Domain Admins'
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name ADDOMAIN\Domain Admins

[root@ipaserver ~]# wbinfo -u

[root@ipaserver ~]# ipa trust-find
---------------
1 trust matched
---------------
  Realm name: addomain.example.com
  Domain NetBIOS name: ADDOMAIN
  Domain Security Identifier: S-1-5-21-2212595442-2951398754-4232868618
  Trust type: Active Directory domain
----------------------------
Number of entries returned 1
----------------------------

[root@ipaserver ~]# ipa trust-show
Realm name: ADDOMAIN.EXAMPLE.COM
  Realm name: addomain.example.com
  Domain NetBIOS name: ADDOMAIN
  Domain Security Identifier: S-1-5-21-2212595442-2951398754-4232868618
  Trust direction: Two-way trust
  Trust type: Active Directory domain



Please note the error message while verifying trust. I am stuck completely
and not having any clue as why the setup is not working as expected.

Any help in fixing this problem would be appreciated.




On Fri, May 16, 2014 at 7:26 PM, Supratik Goswami
<supratiksek...@gmail.com>wrote:

> The IP 10.255.0.4 belongs to the Windows 2008 R2 system running AD DC.
> I disabled the firewall but still the problem is there :-(
>
>
> On Fri, May 16, 2014 at 7:14 PM, Sumit Bose <sb...@redhat.com> wrote:
>
>> On Fri, May 16, 2014 at 04:29:33PM +0530, Supratik Goswami wrote:
>> > Yes DNS is working fine and is able to return the IP address of the AD
>> > server.
>> >
>> > [root@master samba]# dig SRV _ldap._tcp.ad.idm.example.com
>> >
>> > ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> SRV _ldap._
>> > tcp.ad.idm.example.com
>> > ;; global options: +cmd
>> >  ;; Got answer:
>> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29147
>> > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>> >
>> > ;; QUESTION SECTION:
>> > ;_ldap._tcp.ad.idm.example.com. IN SRV
>> >
>> > ;; ANSWER SECTION:
>> > _ldap._tcp.ad.idm.example.com. 600 IN SRV 0 100 389
>> > master.ad.idm.example.com.
>> >
>> > ;; ADDITIONAL SECTION:
>> > master.ad.idm.example.com. 3600 IN A 10.255.0.4
>> >
>> > ;; Query time: 1 msec
>> > ;; SERVER: 10.255.0.4#53(10.255.0.4)
>> > ;; WHEN: Fri May 16 10:46:23 2014
>> > ;; MSG SIZE  rcvd: 106
>> >
>> >
>> >
>> > In my case AD is the netbios name of the AD domain. Please find the log
>> > message from the file log.wb-AD.
>> >
>> >
>>
>> ...
>>
>> > [2014/05/16 10:50:37.542420,  5, pid=3305, effective(0, 0), real(0, 0)]
>> > [2014/05/16 10:50:44.451669,  3, pid=3305, effective(0, 0), real(0, 0)]
>> > ../source3/lib/util_sock.c:585(open_socket_out_send)
>> >   Connecting to 10.255.0.4 at port 445
>> > [2014/05/16 10:50:44.452793,  3, pid=3305, effective(0, 0), real(0, 0)]
>> > ../source3/libsmb/clidgram.c:333(nbt_getdc_send)
>> >   No nmbd found
>> > [2014/05/16 10:50:44.452930, 10, pid=3305, effective(0, 0), real(0, 0)]
>> > ../source3/libsmb/namequery.c:916(name_status_find)
>> >   name_status_find: looking up AD#1c at 10.255.0.4
>> > [2014/05/16 10:50:44.453044,  5, pid=3305, effective(0, 0), real(0, 0)]
>> > ../source3/libsmb/namecache.c:299(namecache_status_fetch)
>> >   namecache_status_fetch: no entry for NBT/AD#1C.20.10.255.0.4 found.
>> > [2014/05/16 10:50:44.453279, 10, pid=3305, effective(0, 0), real(0, 0)]
>> > ../source3/lib/util_sock.c:499(open_socket_in)
>> >   bind succeeded on port 0
>> > [2014/05/16 10:50:44.453449, 10, pid=3305, effective(0, 0), real(0, 0)]
>> > ../source3/libsmb/unexpected.c:546(nb_packet_reader_connected)
>> >   async_connect failed: No such file or directory
>> > [2014/05/16 10:50:44.453564, 10, pid=3305, effective(0, 0), real(0, 0)]
>> > ../source3/libsmb/namequery.c:600(nb_trans_got_reader)
>> >   nmbd not around
>> > [2014/05/16 10:50:45.454766, 10, pid=3305, effective(0, 0), real(0, 0)]
>> > ../source3/lib/events.c:216(run_events_poll)
>> >   Running timed event "tevent_req_timedout" 0x1750470
>> > [2014/05/16 10:50:46.456103, 10, pid=3305, effective(0, 0), real(0, 0)]
>> > ../source3/lib/events.c:216(run_events_poll)
>> >   Running timed event "tevent_req_timedout" 0x1750470
>> > [2014/05/16 10:50:47.457451, 10, pid=3305, effective(0, 0), real(0, 0)]
>> > ../source3/lib/events.c:216(run_events_poll)
>> >   Running timed event "tevent_req_timedout" 0x1750470
>> > [2014/05/16 10:50:48.458773, 10, pid=3305, effective(0, 0), real(0, 0)]
>> > ../source3/lib/events.c:216(run_events_poll)
>> >   Running timed event "tevent_req_timedout" 0x1750470
>> > [2014/05/16 10:50:49.460093, 10, pid=3305, effective(0, 0), real(0, 0)]
>> > ../source3/lib/events.c:216(run_events_poll)
>> >   Running timed event "tevent_req_timedout" 0x1750470
>> > [2014/05/16 10:50:50.461420, 10, pid=3305, effective(0, 0), real(0, 0)]
>> > ../source3/lib/events.c:216(run_events_poll)
>> >   Running timed event "tevent_req_timedout" 0x1750470
>> > [2014/05/16 10:50:51.462723, 10, pid=3305, effective(0, 0), real(0, 0)]
>> > ../source3/lib/events.c:216(run_events_poll)
>> >   Running timed event "tevent_req_timedout" 0x1750470
>> > [2014/05/16 10:50:52.464265, 10, pid=3305, effective(0, 0), real(0, 0)]
>> > ../source3/lib/events.c:216(run_events_poll)
>> >   Running timed event "tevent_req_timedout" 0x1750470
>> > [2014/05/16 10:50:53.465546, 10, pid=3305, effective(0, 0), real(0, 0)]
>> > ../source3/lib/events.c:216(run_events_poll)
>> >   Running timed event "tevent_req_timedout" 0x1750470
>> > [2014/05/16 10:50:54.455168, 10, pid=3305, effective(0, 0), real(0, 0)]
>> > ../source3/lib/events.c:216(run_events_poll)
>> >   Running timed event "tevent_req_timedout" 0x1750590
>> > [2014/05/16 10:50:54.455385, 10, pid=3305, effective(0, 0), real(0, 0)]
>> > ../source3/libsmb/namequery.c:962(name_status_find)
>> >   name_status_find: name not found
>> > [2014/05/16 10:50:54.455497, 10, pid=3305, effective(0, 0), real(0, 0),
>> > class=tdb] ../source3/lib/gencache.c:179(gencache_set_data_blob)
>> >   Adding cache entry with key = NEG_CONN_CACHE/AD,10.255.0.4 and
>> timeout =
>> > Fri May 16 10:51:54 2014
>> >    (60 seconds ahead)
>> > [2014/05/16 10:50:54.455739,  9, pid=3305, effective(0, 0), real(0, 0)]
>> > ../source3/libsmb/conncache.c:189(add_failed_connection_entry)
>> >   add_failed_connection_entry: added domain AD (10.255.0.4) to failed
>> conn
>> > cache
>>
>> > class=tdb] ../source3/lib/gencache.c:246(gencache_del)
>> >   Deleting cache entry (key = SAFJOIN/DOMAIN/AD)
>> > [2014/05/16 10:50:54.455967, 10, pid=3305, effective(0, 0), real(0, 0),
>> > class=tdb] ../source3/lib/gencache.c:246(gencache_del)
>> >   Deleting cache entry (key = SAF/DOMAIN/AD)
>> > [2014/05/16 10:50:54.456078, 10, pid=3305, effective(0, 0), real(0, 0),
>> > class=tdb] ../source3/lib/gencache.c:179(gencache_set_data_blob)
>> >   Adding cache entry with key = NEG_CONN_CACHE/ad.idm.example.com
>> ,10.255.0.4
>> > and timeout = Fri May 16 10:51:54 2014
>> >    (60 seconds ahead)
>> > [2014/05/16 10:50:54.456236,  9, pid=3305, effective(0, 0), real(0, 0)]
>> > ../source3/libsmb/conncache.c:189(add_failed_connection_entry)
>> >   add_failed_connection_entry: added domain ad.idm.example.com(10.255.0.4)
>> > to failed conn cache
>> > [2014/05/16 10:50:54.456330, 10, pid=3305, effective(0, 0), real(0, 0),
>> > class=tdb] ../source3/lib/gencache.c:246(gencache_del)
>>
>> looks like the connection to 10.255.0.4 timed out after 10 seconds. Is
>> there a firewall which might drop the packets?
>>
>> bye,
>> Sumit
>>
>
>
>
> --
> Warm Regards
>
> Supratik
>



-- 
Warm Regards

Supratik
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to