Hi Let me start from the beginning once again. Let me explain you what steps I followed during the setup.
I am setting up the environment in Amazon AWS, both Windows AD server and Linux IPA configured in EC2. For configuring Windows 2008 I selected Windows_Server-2008-R2_SP1-English-64Bit-Base-2014.04.09 (ami-df8e93b6) and for configuring IPA server I selected CentOS 6.5 (x86_64) - Release Media (ami-8997afe0). I followed the steps from http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup and also kept the domain names similar as in the example. IPA server hostname: ipaserver IPA domain: ipadomain.example.com IPA NetBIOS: IPADOMAIN AD DC hostname: adserver AD domain: addomain.example.com AD NetBIOS: ADDOMAIN 1. Updated the system and install the packages. # yum update -y # yum install -y "*ipa-server" "*ipa-server-trust-ad" samba4-winbind-clients samba4-winbind samba4-client bind bind-dyndb-ldap List of important packages installed during the update are as follows. bind x86_64 32:9.8.2-0.23.rc1.el6_5.1 bind-dyndb-ldap x86_64 2.3-5.el6 ipa-server x86_64 3.0.0-37.el6 ipa-server-trust-ad x86_64 3.0.0-37.el6 ipa-admintools x86_64 3.0.0-37.el6 ipa-client x86_64 3.0.0-37.el6 ipa-pki-ca-theme noarch 9.0.3-7.el6 ipa-pki-common-theme noarch 9.0.3-7.el6 ipa-python x86_64 3.0.0-37.el6 ipa-server-selinux x86_64 3.0.0-37.el6 samba4-client x86_64 4.0.0-61.el6_5.rc4 samba4-winbind x86_64 4.0.0-61.el6_5.rc4 samba4-winbind-clients x86_64 4.0.0-61.el6_5.rc4 samba4 x86_64 4.0.0-61.el6_5.rc4 samba4-common x86_64 4.0.0-61.el6_5.rc4 samba4-libs x86_64 4.0.0-61.el6_5.rc4 samba4-python x86_64 4.0.0-61.el6_5.rc4 389-ds-base x86_64 1.2.11.15-32.el6_5 389-ds-base-libs x86_64 1.2.11.15-32.el6_5 certmonger x86_64 0.61-3.el6 krb5-server x86_64 1.10.3-15.el6_5.1 krb5-workstation x86_64 1.10.3-15.el6_5.1 sssd x86_64 1.9.2-129.el6_5.4 sssd-client x86_64 1.9.2-129.el6_5.4 2. System details [root@ipaserver ~]# hostname ipaserver.ipadomain.example.com [root@ipaserver ~]# cat /etc/issue CentOS release 6.5 (Final) Kernel \r on an \m [root@ipaserver ~]# uname -a Linux ipaserver.ipadomain.example.com 2.6.32-431.17.1.el6.x86_64 #1 SMP Wed May 7 23:32:49 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux [root@ipaserver ~]# cat /etc/hosts 127.0.0.1 localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6 10.21.0.121 ipaserver.ipadomain.example.com ipaserver 3. Install IPA server [root@ipaserver ~]# ipa-server-install --domain=ipadomain.example.com--realm= IPADOMAIN.EXAMPLE.COM --setup-dns --no-forwarders The IPA Master Server will be configured with: Hostname: ipaserver.ipadomain.example.com IP address: 10.21.0.121 Domain name: ipadomain.example.com Realm name: IPADOMAIN.EXAMPLE.COM BIND DNS server will be configured to serve IPA domain with: Forwarders: No forwarders Reverse zone: 0.21.10.in-addr.arpa. ... ... The install was successful and no errors during the installation. 4. Login as admin and verify IPA users are available to the system service [root@ipaserver ~]# kinit admin Password for [email protected]: [root@ipaserver ~]# id admin uid=189600000(admin) gid=189600000(admins) groups=189600000(admins) [root@ipaserver ~]# getent passwd admin admin:*:189600000:189600000:Administrator:/home/admin:/bin/bash 5. Configure IPA server for cross-realm trust. [root@ipaserver ~]# ipa-adtrust-install --netbios-name=IPADOMAIN The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will setup components needed to establish trust to AD domains for the FreeIPA Server. This includes: * Configure Samba * Add trust related objects to FreeIPA LDAP server ... ... All completed successfully. 6. I disabled the firewalls and also during the boot up. [root@ipaserver ~]# chkconfig --list iptables iptables 0:off 1:off 2:off 3:off 4:off 5:off 6:off 7. DNS configuration On windows: C:\Windows\system32>dnscmd 127.0.0.1 /ZoneAdd ipadomain.example.com/Forwarder 10.21.0.121 DNS Server 127.0.0.1 created zone ipadomain.example.com: Command completed successfully. On Linux: [root@ipaserver ~]# ipa dnszone-add addomain.example.com --name-server= adserver.addomain.example.com --admin-email='[email protected]' --force --forwarder=10.21.0.231 --forward-policy=only --ip-address=10.21.0.231 Zone name: addomain.example.com Authoritative nameserver: adserver.addomain.example.com Administrator e-mail address: hostmaster.addomain.example.com. SOA serial: 1400486308 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant IPADOMAIN.EXAMPLE.COM krb5-self * A; grant IPADOMAIN.EXAMPLE.COM krb5-self * AAAA; grant IPADOMAIN.EXAMPLE.COMkrb5-self * SSHFP; Active zone: TRUE Dynamic update: FALSE Allow query: any; Allow transfer: none; Zone forwarders: 10.21.0.231 Forward policy: only Verify DNS configuration: In Windows AD:- C:\Windows\system32>nslookup Default Server: localhost Address: 127.0.0.1 > set type=SRV > _ldap._tcp.addomain.example.com Server: localhost Address: 127.0.0.1 _ldap._tcp.addomain.example.com SRV service location: priority = 0 weight = 100 port = 389 svr hostname = adserver.addomain.example.com adserver.addomain.example.com internet address = 10.21.0.231 > _ldap._tcp.ipadomain.example.com Server: localhost Address: 127.0.0.1 Non-authoritative answer: _ldap._tcp.ipadomain.example.com SRV service location: priority = 0 weight = 100 port = 389 svr hostname = ipaserver.ipadomain.example.com ipaserver.ipadomain.example.com internet address = 10.21.0.121 > quit In Linux IPA:- [root@ipaserver ~]# dig SRV _ldap._tcp.addomain.example.com ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> SRV _ldap._ tcp.addomain.example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40705 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;_ldap._tcp.addomain.example.com. IN SRV ;; ANSWER SECTION: _ldap._tcp.addomain.example.com. 588 IN SRV 0 100 389 adserver.addomain.example.com. ;; ADDITIONAL SECTION: adserver.addomain.example.com. 3588 IN A 10.21.0.231 ;; Query time: 0 msec ;; SERVER: 10.21.0.121#53(10.21.0.121) ;; WHEN: Mon May 19 08:02:20 2014 ;; MSG SIZE rcvd: 114 [root@ipaserver ~]# dig SRV _ldap._tcp.ipadomain.example.com ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> SRV _ldap._ tcp.ipadomain.example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63334 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;_ldap._tcp.ipadomain.example.com. IN SRV ;; ANSWER SECTION: _ldap._tcp.ipadomain.example.com. 86400 IN SRV 0 100 389 ipaserver.ipadomain.example.com. ;; AUTHORITY SECTION: ipadomain.example.com. 86400 IN NS ipaserver.ipadomain.example.com. ;; ADDITIONAL SECTION: ipaserver.ipadomain.example.com. 1200 IN A 10.21.0.121 ;; Query time: 1 msec ;; SERVER: 10.21.0.121#53(10.21.0.121) ;; WHEN: Mon May 19 08:02:44 2014 ;; MSG SIZE rcvd: 131 8. Add trust with AD domain [root@ipaserver ~]# ipa trust-add --type=ad addomain.example.com --admin Administrator --password Active directory domain administrator's password: ------------------------------------------------------------- Added Active Directory trust for realm "addomain.example.com" ------------------------------------------------------------- Realm name: addomain.example.com Domain NetBIOS name: ADDOMAIN Domain Security Identifier: S-1-5-21-2212595442-2951398754-4232868618 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified 9. Updated kerberos configuration. [root@ipaserver ~]# cat /etc/krb5.conf includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = IPADOMAIN.EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] IPADOMAIN.EXAMPLE.COM = { kdc = ipaserver.ipadomain.example.com:88 master_kdc = ipaserver.ipadomain.example.com:88 admin_server = ipaserver.ipadomain.example.com:749 default_domain = ipadomain.example.com pkinit_anchors = FILE:/etc/ipa/ca.crt auth_to_local = RULE:[1:$1@$0](^.*@ADDOMAIN.EXAMPLE.COM$)s/@ ADDOMAIN.EXAMPLE.COM/@addomain.example.com/ auth_to_local = DEFAULT } [domain_realm] .ipadomain.example.com = IPADOMAIN.EXAMPLE.COM ipadomain.example.com = IPADOMAIN.EXAMPLE.COM [dbmodules] IPADOMAIN.EXAMPLE.COM = { db_library = ipadb.so } 10. Allow AD users to access resources in IPA domain [root@ipaserver ~]# ipa group-add --desc='addomain.example.com admins external map' ad_admins_external --external -------------------------------- Added group "ad_admins_external" -------------------------------- Group name: ad_admins_external Description: addomain.example.com admins external map [root@ipaserver ~]# ipa group-add --desc='addomain.example.com admins' ad_admins ----------------------- Added group "ad_admins" ----------------------- Group name: ad_admins Description: addomain.example.com admins GID: 189600004 [root@ipaserver ~]# ipa group-add-member ad_admins_external --external 'ADDOMAIN\Domain Admins' [member user]: [member group]: Group name: ad_admins_external Description: addomain.example.com admins external map External member: S-1-5-21-2212595442-2951398754-4232868618-512 ------------------------- Number of members added 1 ------------------------- [root@ipaserver ~]# ipa group-add-member ad_admins --groups ad_admins_external Group name: ad_admins Description: addomain.example.com admins GID: 189600004 Member groups: ad_admins_external ------------------------- Number of members added 1 ------------------------- 11. Verifying trust [root@ipaserver ~]# wbinfo -n 'ADDOMAIN\Domain Admins' failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND Could not lookup name ADDOMAIN\Domain Admins [root@ipaserver ~]# wbinfo -u [root@ipaserver ~]# ipa trust-find --------------- 1 trust matched --------------- Realm name: addomain.example.com Domain NetBIOS name: ADDOMAIN Domain Security Identifier: S-1-5-21-2212595442-2951398754-4232868618 Trust type: Active Directory domain ---------------------------- Number of entries returned 1 ---------------------------- [root@ipaserver ~]# ipa trust-show Realm name: ADDOMAIN.EXAMPLE.COM Realm name: addomain.example.com Domain NetBIOS name: ADDOMAIN Domain Security Identifier: S-1-5-21-2212595442-2951398754-4232868618 Trust direction: Two-way trust Trust type: Active Directory domain Please note the error message while verifying trust. I am stuck completely and not having any clue as why the setup is not working as expected. Any help in fixing this problem would be appreciated. On Fri, May 16, 2014 at 7:26 PM, Supratik Goswami <[email protected]>wrote: > The IP 10.255.0.4 belongs to the Windows 2008 R2 system running AD DC. > I disabled the firewall but still the problem is there :-( > > > On Fri, May 16, 2014 at 7:14 PM, Sumit Bose <[email protected]> wrote: > >> On Fri, May 16, 2014 at 04:29:33PM +0530, Supratik Goswami wrote: >> > Yes DNS is working fine and is able to return the IP address of the AD >> > server. >> > >> > [root@master samba]# dig SRV _ldap._tcp.ad.idm.example.com >> > >> > ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> SRV _ldap._ >> > tcp.ad.idm.example.com >> > ;; global options: +cmd >> > ;; Got answer: >> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29147 >> > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 >> > >> > ;; QUESTION SECTION: >> > ;_ldap._tcp.ad.idm.example.com. IN SRV >> > >> > ;; ANSWER SECTION: >> > _ldap._tcp.ad.idm.example.com. 600 IN SRV 0 100 389 >> > master.ad.idm.example.com. >> > >> > ;; ADDITIONAL SECTION: >> > master.ad.idm.example.com. 3600 IN A 10.255.0.4 >> > >> > ;; Query time: 1 msec >> > ;; SERVER: 10.255.0.4#53(10.255.0.4) >> > ;; WHEN: Fri May 16 10:46:23 2014 >> > ;; MSG SIZE rcvd: 106 >> > >> > >> > >> > In my case AD is the netbios name of the AD domain. Please find the log >> > message from the file log.wb-AD. >> > >> > >> >> ... >> >> > [2014/05/16 10:50:37.542420, 5, pid=3305, effective(0, 0), real(0, 0)] >> > [2014/05/16 10:50:44.451669, 3, pid=3305, effective(0, 0), real(0, 0)] >> > ../source3/lib/util_sock.c:585(open_socket_out_send) >> > Connecting to 10.255.0.4 at port 445 >> > [2014/05/16 10:50:44.452793, 3, pid=3305, effective(0, 0), real(0, 0)] >> > ../source3/libsmb/clidgram.c:333(nbt_getdc_send) >> > No nmbd found >> > [2014/05/16 10:50:44.452930, 10, pid=3305, effective(0, 0), real(0, 0)] >> > ../source3/libsmb/namequery.c:916(name_status_find) >> > name_status_find: looking up AD#1c at 10.255.0.4 >> > [2014/05/16 10:50:44.453044, 5, pid=3305, effective(0, 0), real(0, 0)] >> > ../source3/libsmb/namecache.c:299(namecache_status_fetch) >> > namecache_status_fetch: no entry for NBT/AD#1C.20.10.255.0.4 found. >> > [2014/05/16 10:50:44.453279, 10, pid=3305, effective(0, 0), real(0, 0)] >> > ../source3/lib/util_sock.c:499(open_socket_in) >> > bind succeeded on port 0 >> > [2014/05/16 10:50:44.453449, 10, pid=3305, effective(0, 0), real(0, 0)] >> > ../source3/libsmb/unexpected.c:546(nb_packet_reader_connected) >> > async_connect failed: No such file or directory >> > [2014/05/16 10:50:44.453564, 10, pid=3305, effective(0, 0), real(0, 0)] >> > ../source3/libsmb/namequery.c:600(nb_trans_got_reader) >> > nmbd not around >> > [2014/05/16 10:50:45.454766, 10, pid=3305, effective(0, 0), real(0, 0)] >> > ../source3/lib/events.c:216(run_events_poll) >> > Running timed event "tevent_req_timedout" 0x1750470 >> > [2014/05/16 10:50:46.456103, 10, pid=3305, effective(0, 0), real(0, 0)] >> > ../source3/lib/events.c:216(run_events_poll) >> > Running timed event "tevent_req_timedout" 0x1750470 >> > [2014/05/16 10:50:47.457451, 10, pid=3305, effective(0, 0), real(0, 0)] >> > ../source3/lib/events.c:216(run_events_poll) >> > Running timed event "tevent_req_timedout" 0x1750470 >> > [2014/05/16 10:50:48.458773, 10, pid=3305, effective(0, 0), real(0, 0)] >> > ../source3/lib/events.c:216(run_events_poll) >> > Running timed event "tevent_req_timedout" 0x1750470 >> > [2014/05/16 10:50:49.460093, 10, pid=3305, effective(0, 0), real(0, 0)] >> > ../source3/lib/events.c:216(run_events_poll) >> > Running timed event "tevent_req_timedout" 0x1750470 >> > [2014/05/16 10:50:50.461420, 10, pid=3305, effective(0, 0), real(0, 0)] >> > ../source3/lib/events.c:216(run_events_poll) >> > Running timed event "tevent_req_timedout" 0x1750470 >> > [2014/05/16 10:50:51.462723, 10, pid=3305, effective(0, 0), real(0, 0)] >> > ../source3/lib/events.c:216(run_events_poll) >> > Running timed event "tevent_req_timedout" 0x1750470 >> > [2014/05/16 10:50:52.464265, 10, pid=3305, effective(0, 0), real(0, 0)] >> > ../source3/lib/events.c:216(run_events_poll) >> > Running timed event "tevent_req_timedout" 0x1750470 >> > [2014/05/16 10:50:53.465546, 10, pid=3305, effective(0, 0), real(0, 0)] >> > ../source3/lib/events.c:216(run_events_poll) >> > Running timed event "tevent_req_timedout" 0x1750470 >> > [2014/05/16 10:50:54.455168, 10, pid=3305, effective(0, 0), real(0, 0)] >> > ../source3/lib/events.c:216(run_events_poll) >> > Running timed event "tevent_req_timedout" 0x1750590 >> > [2014/05/16 10:50:54.455385, 10, pid=3305, effective(0, 0), real(0, 0)] >> > ../source3/libsmb/namequery.c:962(name_status_find) >> > name_status_find: name not found >> > [2014/05/16 10:50:54.455497, 10, pid=3305, effective(0, 0), real(0, 0), >> > class=tdb] ../source3/lib/gencache.c:179(gencache_set_data_blob) >> > Adding cache entry with key = NEG_CONN_CACHE/AD,10.255.0.4 and >> timeout = >> > Fri May 16 10:51:54 2014 >> > (60 seconds ahead) >> > [2014/05/16 10:50:54.455739, 9, pid=3305, effective(0, 0), real(0, 0)] >> > ../source3/libsmb/conncache.c:189(add_failed_connection_entry) >> > add_failed_connection_entry: added domain AD (10.255.0.4) to failed >> conn >> > cache >> >> > class=tdb] ../source3/lib/gencache.c:246(gencache_del) >> > Deleting cache entry (key = SAFJOIN/DOMAIN/AD) >> > [2014/05/16 10:50:54.455967, 10, pid=3305, effective(0, 0), real(0, 0), >> > class=tdb] ../source3/lib/gencache.c:246(gencache_del) >> > Deleting cache entry (key = SAF/DOMAIN/AD) >> > [2014/05/16 10:50:54.456078, 10, pid=3305, effective(0, 0), real(0, 0), >> > class=tdb] ../source3/lib/gencache.c:179(gencache_set_data_blob) >> > Adding cache entry with key = NEG_CONN_CACHE/ad.idm.example.com >> ,10.255.0.4 >> > and timeout = Fri May 16 10:51:54 2014 >> > (60 seconds ahead) >> > [2014/05/16 10:50:54.456236, 9, pid=3305, effective(0, 0), real(0, 0)] >> > ../source3/libsmb/conncache.c:189(add_failed_connection_entry) >> > add_failed_connection_entry: added domain ad.idm.example.com(10.255.0.4) >> > to failed conn cache >> > [2014/05/16 10:50:54.456330, 10, pid=3305, effective(0, 0), real(0, 0), >> > class=tdb] ../source3/lib/gencache.c:246(gencache_del) >> >> looks like the connection to 10.255.0.4 timed out after 10 seconds. Is >> there a firewall which might drop the packets? >> >> bye, >> Sumit >> > > > > -- > Warm Regards > > Supratik > -- Warm Regards Supratik
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
