Hi List

I'm following the guide at
http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Assumptions , this
time with Fedora 20.1.

Everything proceeds smoothly until I try to establish trust with the AD
domain controller, at which point IPA crashes:

[root@idm001 ~]# ipa trust-add --type=ad mhatest.local --admin
Administrator --password
Active directory domain administrator's password:
ipa: ERROR: an internal error has occurred
[root@idm001 ~]#

I've attached the exact, step by step process I used to arrive at this
point. Attached also are the debug logs (as per the debugging guidelines).

Many thanks in advance for any insight I could use to understand and fix
this issue! I am also moving on to re/testing the same process on
CentOS 7, CentOS 6.5 to rule out the possibility of subtle variations in
package version bugs (or basically net any that might exist :-p)

1. AD DC Details

- Provides DNS via Windows DNS Server for MHATEST.LOCAL, ENGENEON.LOCAL, 
- Win2K8 R2 Enterprise (VM running on Hyper-V)
- DNS hostname: kwttstaddc001.mhatest.local
- IP Address:

2. IdM Server Details

- Fedora 20.??? (Fedora-Live-Desktop-x86_64-20-1)
- DNS hostname: idm001.engeneon.local
- IP Address:

3. Linux Client machine:

 - ronin.engeneon.local ronin
 - CentOS6.5


- IPA server IP address:
- IPA server hostname: idm001.engeneon.local 
- IPA domain: ipa_domain engeneon.local 
- IPA Kerberos realm, IPA_DOMAIN, is equal to IPA domain: ENGENEON.LOCAL 
- AD DC IP address: ad_ip_address:
- AD DC hostname: ad_hostname: kwttstaddc001.mhatest.local
- AD domain: ad_domain: MHATEST.LOCAL
- AD NetBIOS: ad_netbios: MHATEST 
- AD admins group SID: <fillmein>

4. Windows 2008 R2 AD DC Configuration Settings (

Printout summary from the "DCPROMO" configuration wizard:

- Configure this server as the first Active Directory domain controller in a 
new forest.
- The new domain name is "MHATEST.LOCAL". This is also the name of the new 
- The NetBIOS name of the domain is "MHATEST".
- Forest Functional Level: Windows Server 2008 R2
- Domain Functional Level: Windows Server 2008 R2
- Site: Default-First-Site-Name

- Additional Options:
  Read-only domain controller: "No"
  Global catalog: Yes
  DNS Server: Yes

- Create DNS Delegation: No

- Database folder: C:\Windows\NTDS
- Log file folder: C:\Windows\NTDS
- SYSVOL folder: C:\Windows\SYSVOL

- The DNS Server service will be installed on this computer.
- The DNS Server service will be configured on this computer.
- This computer will be configured to use this DNS server as its preferred DNS 
- The password of the new domain Administrator will be the same as the password 
of the local Administrator of this computer.

A second AD integrated zone was created on the AD server for the IPA domain: 

 Type:  Active Directory-Integrated Primary
 Lookup type:   Forward

5. IDM Server Configuration Sequence:

 - Guide #1 (IPA Setup) 
 - Guide #2 (AD setup) 
 - Guide #3 (NOT USED IN THIS SEQUENCE!!): Mark Heslin's guide: "Integrating 
OSE for IdMfor RHEL 1.0"

5.1 Installing the IPA server (Fedora 20.x, on VMware ESXI 5.5):

[done] yum update -y

 Setup the local caching name-server:

[DONE] yum install caching-nameserver
[DONE] configure forwarders in /etc/named.conf: forwarders {; /* 
... or the address of your ISP DNS server */ };

 Zone configuration on the IPA server:


 zone "mhatest.local" {
        type stub;
        masters {; };

 zone "engeneon.local" {
        type stub;
        masters {; };


- Testing that the IPA server can use the local caching dns servicet to resolve 
the test AD domain:

[root@idm001 ~]# dig +short soa mhatest.local @
kwttstaddc002.mhatest.local. hostmaster.mhatest.local. 23 900 600 86400 3600

[DONE] yum install -y "*ipa-server" "*ipa-server-trust-ad" 
samba4-winbind-clients samba4-winbind samba4-client bind bind-dyndb-ldap

Package freeipa-server-3.3.5-1.fc20.x86_64 already installed and latest version
Package freeipa-server-trust-ad-3.3.5-1.fc20.x86_64 already installed and 
latest version
Package 2:samba-winbind-clients-4.1.9-4.fc20.x86_64 already installed and 
latest version
Package 2:samba-winbind-4.1.9-4.fc20.x86_64 already installed and latest version
Package 2:samba-client-4.1.9-4.fc20.x86_64 already installed and latest version
Package 32:bind-9.9.4-15.P2.fc20.x86_64 already installed and latest version
Package bind-dyndb-ldap-4.3-1.fc20.x86_64 already installed and latest version

[DONE] Configure hostname and /etc/hosts:

[root@idm001 ~]# cat /etc/hosts               localhost.localdomain localhost
::1             localhost6.localdomain6 localhost6  idm001.engeneon.local   idm001

[root@idm001 ~]# hostname

[DONE] Install the IPA server:

 ipa-server-install -a Cr4ckM0nk3y -p Cr4ckM0nk3y --domain=engeneon.local 
--realm=ENGENEON.LOCAL --setup-dns --no-forwarders -U

<trimmed for brevity>
  [9/11]: restarting named
  [10/11]: configuring named to start on boot
  [11/11]: changing resolv.conf to point to ourselves
Done configuring DNS (named).

Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files

Restarting the web server
Setup complete

Next steps:
        1. You must make sure these network ports are open:
                TCP Ports:
                  * 80, 443: HTTP/HTTPS
                  * 389, 636: LDAP/LDAPS
                  * 88, 464: kerberos
                  * 53: bind
                UDP Ports:
                  * 88, 464: kerberos
                  * 53: bind
                  * 123: ntp

        2. You can now obtain a kerberos ticket using the command: 'kinit admin'
           This ticket will allow you to use the IPA tools (e.g., ipa user-add)
           and the web user interface.

Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password


[DONE] Verify IPA users available to IPA Services:

[root@idm001 ~]# id admin
uid=392600000(admin) gid=392600000(admins) groups=392600000(admins)

[root@idm001 ~]# getent passwd admin
[root@idm001 ~]#

[] Configure IPA for Cross-Realm Trusts:

 ipa-adtrust-install --netbios-name=ENGENEON -a Cr4ckM0nk3y


[root@idm001 ~]#  ipa-adtrust-install --netbios-name=ENGENEON -a Cr4ckM0nk3y

The log file for this installation can be found in 
This program will setup components needed to establish trust to AD domains for
the FreeIPA Server.

This includes:
  * Configure Samba
  * Add trust related objects to FreeIPA LDAP server

To accept the default shown in brackets, press the Enter key.

WARNING: The smb.conf already exists. Running ipa-adtrust-install will break 
your existing samba configuration.

Do you wish to continue? [no]: yes

WARNING: 3 existing users or groups do not have a SID identifier assigned.
Installer can run a task to have ipa-sidgen Directory Server plugin generate
the SID identifier for all these users. Please note, the in case of a high
number of users and groups, the operation might lead to high replication
traffic and performance degradation. Refer to ipa-adtrust-install(1) man page
for details.

Do you want to run the ipa-sidgen task? [no]: yes

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Done configuring CIFS.

Setup complete

You must make sure these network ports are open:
        TCP Ports:
          * 138: netbios-dgm
          * 139: netbios-ssn
          * 445: microsoft-ds
        UDP Ports:
          * 138: netbios-dgm
          * 139: netbios-ssn
          * 389: (C)LDAP
          * 445: microsoft-ds

Additionally you have to make sure the FreeIPA LDAP server is not reachable
by any domain controller in the Active Directory domain by closing down
the following ports for these servers:
        TCP Ports:
          * 389, 636: LDAP/LDAPS

You may want to choose to REJECT the network packets instead of DROPing
them to avoid timeouts on the AD domain controllers.


[DONE] Open the firewall Wide:

[root@idm001 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[root@idm001 ~]#

[DONE] Check TimeZone Settings on both the AD server and the IPA server:


 [root@idm001 ~]# date
 Fri Sep 12 21:10:56 AST 2014


 PS C:\Users\Administrator> date
 Friday, September 12, 2014 9:10:33 PM

5. DNS Configuration: (The scenario here is "domains are parallel")

- AD DNS Zone  : mhatest.local
- IPA DNS Zone : engeneon.local

 5.1 Configure conditional forwarder for IPA domain (engeneon.local):

 dnscmd /ZoneAdd engeneon.local /Forwarder



PS C:\Users\Administrator> dnscmd /ZoneAdd engeneon.local /Forwarder
DNS Server created zone engeneon.local:

Command completed successfully.

 5.2 On IPA server, add conditional forwarder for AD domain:

 ipa dnszone-add mhatest.local --name-server=KWTTSTADDC002.mhatest.local 
--admin-email='hostmaster@mhatest.local' --force --forwarder= 
--forward-policy=only --ip-address=


[root@idm001 ~]# ipa dnszone-add mhatest.local 
--admin-email='hostmaster@mhatest.local' --force --forwarder= 
--forward-policy=only --ip-address=
  Zone name: mhatest.local
  Authoritative nameserver: kwttstaddc002.mhatest.local
  Administrator e-mail address: hostmaster.mhatest.local.
  SOA serial: 1410546132
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant ENGENEON.LOCAL krb5-self * A; grant ENGENEON.LOCAL 
krb5-self * AAAA; grant ENGENEON.LOCAL krb5-self * SSHFP;
  Active zone: TRUE
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;
  Zone forwarders:
  Forward policy: only
[root@idm001 ~]#


- Dig tests:

 [root@idm001 ~]# dig +short SRV _ldap._tcp.engeneon.local
 0 100 389 idm001.engeneon.local.

 [root@idm001 ~]# dig +short SRV _ldap._tcp.mhatest.local
 0 100 389 kwttstaddc002.mhatest.local.

6.Establish and verify cross-realm trust:

(A tcpdump capture of this part was also done with: tcpdump -nXvvvs 0 -i ens192 
host and host -w 

  ipa trust-add --type=ad mhatest.local --admin Administrator --password


[root@idm001 ~]#
[root@idm001 ~]# ipa trust-add --type=ad mhatest.local --admin Administrator 
Active directory domain administrator's password:
ipa: ERROR: an internal error has occurred
[root@idm001 ~]#

The tcpdump for the entire exchange above looks like this:

[root@idm001 ~]# tcpdump -i ens192 host and host
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens192, link-type EN10MB (Ethernet), capture size 65535 bytes
21:41:21.292056 IP idm001.engeneon.local.51159 > UDP, 
length 83
21:41:21.292649 IP > idm001.engeneon.local.51159: UDP, 
length 190
21:41:26.236218 ARP, Request who-has idm001.engeneon.local (00:50:56:9c:67:a0 
(oui Unknown)) tell, length 46
21:41:26.236246 ARP, Reply idm001.engeneon.local is-at 00:50:56:9c:67:a0 (oui 
Unknown), length 28

Attachment: debug_logs_idm001_120920142330.tar.gz
Description: GNU Zip compressed data

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to