Hi List
I'm following the guide at http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Assumptions , this time with Fedora 20.1. Everything proceeds smoothly until I try to establish trust with the AD domain controller, at which point IPA crashes: --- [root@idm001 ~]# ipa trust-add --type=ad mhatest.local --admin Administrator --password Active directory domain administrator's password: ipa: ERROR: an internal error has occurred [root@idm001 ~]# --- I've attached the exact, step by step process I used to arrive at this point. Attached also are the debug logs (as per the debugging guidelines). Many thanks in advance for any insight I could use to understand and fix this issue! I am also moving on to re/testing the same process on CentOS 7, CentOS 6.5 to rule out the possibility of subtle variations in package version bugs (or basically net any that might exist :-p) Regards, Traiano
1. AD DC Details - Provides DNS via Windows DNS Server for MHATEST.LOCAL, ENGENEON.LOCAL, LINUX.MHATEST.LOCAL - Win2K8 R2 Enterprise (VM running on Hyper-V) - DNS hostname: kwttstaddc001.mhatest.local - IP Address: 172.16.107.109 2. IdM Server Details - Fedora 20.??? (Fedora-Live-Desktop-x86_64-20-1) - DNS hostname: idm001.engeneon.local - IP Address: 172.16.107.108 3. Linux Client machine: - 172.16.104.145 ronin.engeneon.local ronin - CentOS6.5 Summary: - IPA server IP address: 172.16.107.108 - IPA server hostname: idm001.engeneon.local - IPA domain: ipa_domain engeneon.local - IPA NetBIOS: ENGENEON - IPA Kerberos realm, IPA_DOMAIN, is equal to IPA domain: ENGENEON.LOCAL - AD DC IP address: ad_ip_address: 172.16.107.109 - AD DC hostname: ad_hostname: kwttstaddc001.mhatest.local - AD domain: ad_domain: MHATEST.LOCAL - AD NetBIOS: ad_netbios: MHATEST - AD admins group SID: <fillmein> 4. Windows 2008 R2 AD DC Configuration Settings (172.16.107.109) Printout summary from the "DCPROMO" configuration wizard: - Configure this server as the first Active Directory domain controller in a new forest. - The new domain name is "MHATEST.LOCAL". This is also the name of the new forest. - The NetBIOS name of the domain is "MHATEST". - Forest Functional Level: Windows Server 2008 R2 - Domain Functional Level: Windows Server 2008 R2 - Site: Default-First-Site-Name - Additional Options: Read-only domain controller: "No" Global catalog: Yes DNS Server: Yes - Create DNS Delegation: No - Database folder: C:\Windows\NTDS - Log file folder: C:\Windows\NTDS - SYSVOL folder: C:\Windows\SYSVOL - The DNS Server service will be installed on this computer. - The DNS Server service will be configured on this computer. - This computer will be configured to use this DNS server as its preferred DNS server. - The password of the new domain Administrator will be the same as the password of the local Administrator of this computer. A second AD integrated zone was created on the AD server for the IPA domain: Name: ENGENEON.LOCAL Type: Active Directory-Integrated Primary Lookup type: Forward 5. IDM Server Configuration Sequence: - Guide #1 (IPA Setup) http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Assumptions - Guide #2 (AD setup) http://stef.thewalter.net/2012/08/how-to-create-active-directory-domain.html - Guide #3 (NOT USED IN THIS SEQUENCE!!): Mark Heslin's guide: "Integrating OSE for IdMfor RHEL 1.0" 5.1 Installing the IPA server (Fedora 20.x, on VMware ESXI 5.5): [done] yum update -y Setup the local caching name-server: [DONE] yum install caching-nameserver [DONE] configure forwarders in /etc/named.conf: forwarders { 172.16.107.109; /* ... or the address of your ISP DNS server */ }; Zone configuration on the IPA server: --- zone "mhatest.local" { type stub; masters { 172.16.107.109; }; }; zone "engeneon.local" { type stub; masters { 172.16.107.109; }; }; --- - Testing that the IPA server can use the local caching dns servicet to resolve the test AD domain: --- [root@idm001 ~]# dig +short soa mhatest.local @127.0.0.1 kwttstaddc002.mhatest.local. hostmaster.mhatest.local. 23 900 600 86400 3600 --- [DONE] yum install -y "*ipa-server" "*ipa-server-trust-ad" samba4-winbind-clients samba4-winbind samba4-client bind bind-dyndb-ldap --- Package freeipa-server-3.3.5-1.fc20.x86_64 already installed and latest version Package freeipa-server-trust-ad-3.3.5-1.fc20.x86_64 already installed and latest version Package 2:samba-winbind-clients-4.1.9-4.fc20.x86_64 already installed and latest version Package 2:samba-winbind-4.1.9-4.fc20.x86_64 already installed and latest version Package 2:samba-client-4.1.9-4.fc20.x86_64 already installed and latest version Package 32:bind-9.9.4-15.P2.fc20.x86_64 already installed and latest version Package bind-dyndb-ldap-4.3-1.fc20.x86_64 already installed and latest version --- [DONE] Configure hostname and /etc/hosts: --- [root@idm001 ~]# cat /etc/hosts 127.0.0.1 localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6 172.16.107.108 idm001.engeneon.local idm001 [root@idm001 ~]# hostname idm001.engeneon.local --- [DONE] Install the IPA server: ipa-server-install -a Cr4ckM0nk3y -p Cr4ckM0nk3y --domain=engeneon.local --realm=ENGENEON.LOCAL --setup-dns --no-forwarders -U --- <trimmed for brevity> . . . [9/11]: restarting named [10/11]: configuring named to start on boot [11/11]: changing resolv.conf to point to ourselves Done configuring DNS (named). Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files Restarting the web server ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificate stored in /root/cacert.p12 This file is required to create replicas. The password for this file is the Directory Manager password --- [DONE] Verify IPA users available to IPA Services: --- [root@idm001 ~]# id admin uid=392600000(admin) gid=392600000(admins) groups=392600000(admins) [root@idm001 ~]# getent passwd admin admin:*:392600000:392600000:Administrator:/home/admin:/bin/bash [root@idm001 ~]# --- [] Configure IPA for Cross-Realm Trusts: ipa-adtrust-install --netbios-name=ENGENEON -a Cr4ckM0nk3y Output: --- [root@idm001 ~]# ipa-adtrust-install --netbios-name=ENGENEON -a Cr4ckM0nk3y The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will setup components needed to establish trust to AD domains for the FreeIPA Server. This includes: * Configure Samba * Add trust related objects to FreeIPA LDAP server To accept the default shown in brackets, press the Enter key. WARNING: The smb.conf already exists. Running ipa-adtrust-install will break your existing samba configuration. Do you wish to continue? [no]: yes WARNING: 3 existing users or groups do not have a SID identifier assigned. Installer can run a task to have ipa-sidgen Directory Server plugin generate the SID identifier for all these users. Please note, the in case of a high number of users and groups, the operation might lead to high replication traffic and performance degradation. Refer to ipa-adtrust-install(1) man page for details. Do you want to run the ipa-sidgen task? [no]: yes The following operations may take some minutes to complete. Please wait until the prompt is returned. Done configuring CIFS. ============================================================================= Setup complete You must make sure these network ports are open: TCP Ports: * 138: netbios-dgm * 139: netbios-ssn * 445: microsoft-ds UDP Ports: * 138: netbios-dgm * 139: netbios-ssn * 389: (C)LDAP * 445: microsoft-ds Additionally you have to make sure the FreeIPA LDAP server is not reachable by any domain controller in the Active Directory domain by closing down the following ports for these servers: TCP Ports: * 389, 636: LDAP/LDAPS You may want to choose to REJECT the network packets instead of DROPing them to avoid timeouts on the AD domain controllers. ============================================================================= [DONE] Open the firewall Wide: --- [root@idm001 ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@idm001 ~]# --- [DONE] Check TimeZone Settings on both the AD server and the IPA server: idm001.engeneon.net: --- [root@idm001 ~]# date Fri Sep 12 21:10:56 AST 2014 --- kwttstaddc002.mhatest.local: --- PS C:\Users\Administrator> date Friday, September 12, 2014 9:10:33 PM --- 5. DNS Configuration: (The scenario here is "domains are parallel") - AD DNS Zone : mhatest.local - IPA DNS Zone : engeneon.local 5.1 Configure conditional forwarder for IPA domain (engeneon.local): dnscmd 127.0.0.1 /ZoneAdd engeneon.local /Forwarder 172.16.107.108 Output: --- PS C:\Users\Administrator> dnscmd 127.0.0.1 /ZoneAdd engeneon.local /Forwarder 172.16.107.108 DNS Server 127.0.0.1 created zone engeneon.local: Command completed successfully. --- 5.2 On IPA server, add conditional forwarder for AD domain: ipa dnszone-add mhatest.local --name-server=KWTTSTADDC002.mhatest.local --admin-email='hostmaster@mhatest.local' --force --forwarder=172.16.107.109 --forward-policy=only --ip-address=172.16.107.109 Output: --- [root@idm001 ~]# ipa dnszone-add mhatest.local --name-server=KWTTSTADDC002.mhatest.local --admin-email='hostmaster@mhatest.local' --force --forwarder=172.16.107.109 --forward-policy=only --ip-address=172.16.107.109 Zone name: mhatest.local Authoritative nameserver: kwttstaddc002.mhatest.local Administrator e-mail address: hostmaster.mhatest.local. SOA serial: 1410546132 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant ENGENEON.LOCAL krb5-self * A; grant ENGENEON.LOCAL krb5-self * AAAA; grant ENGENEON.LOCAL krb5-self * SSHFP; Active zone: TRUE Dynamic update: FALSE Allow query: any; Allow transfer: none; Zone forwarders: 172.16.107.109 Forward policy: only [root@idm001 ~]# --- - Dig tests: --- [root@idm001 ~]# dig +short SRV _ldap._tcp.engeneon.local 0 100 389 idm001.engeneon.local. --- --- [root@idm001 ~]# dig +short SRV _ldap._tcp.mhatest.local 0 100 389 kwttstaddc002.mhatest.local. --- 6.Establish and verify cross-realm trust: (A tcpdump capture of this part was also done with: tcpdump -nXvvvs 0 -i ens192 host 172.16.107.108 and host 172.16.107.109 -w ipa-ad-cross-realm-trust-argument.pcap) ipa trust-add --type=ad mhatest.local --admin Administrator --password Output: --- [root@idm001 ~]# [root@idm001 ~]# ipa trust-add --type=ad mhatest.local --admin Administrator --password Active directory domain administrator's password: ipa: ERROR: an internal error has occurred [root@idm001 ~]# --- The tcpdump for the entire exchange above looks like this: --- [root@idm001 ~]# tcpdump -i ens192 host 172.16.107.108 and host 172.16.107.109 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens192, link-type EN10MB (Ethernet), capture size 65535 bytes 21:41:21.292056 IP idm001.engeneon.local.51159 > 172.16.107.109.ldap: UDP, length 83 21:41:21.292649 IP 172.16.107.109.ldap > idm001.engeneon.local.51159: UDP, length 190 21:41:26.236218 ARP, Request who-has idm001.engeneon.local (00:50:56:9c:67:a0 (oui Unknown)) tell 172.16.107.109, length 46 21:41:26.236246 ARP, Reply idm001.engeneon.local is-at 00:50:56:9c:67:a0 (oui Unknown), length 28 ---
debug_logs_idm001_120920142330.tar.gz
Description: GNU Zip compressed data
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project