[Freeipa-users] Trust with Active Directory fails

Thu, 05 Feb 2015 14:35:33 -0800 

I'm trying to set up a trust between IPA and Active Directory, and it keeps 
failing. The problem is the same as this one 
(https://www.redhat.com/archives/freeipa-users/2014-April/msg00039.html), but 
the solution is not. In that case, it was solved by enabling IPv6 in the 
kernel, and in this case IPv6 is already enabled.

Here's what happens:

# ipa trust-add --type=ad example.com
ipa: ERROR: Cannot find specified domain or server name

It looks like a DNS problem, and all the suggestions I've seen point to DNS, 
but from everything I can see, DNS appears to be working. I have the IPA domain 
set up as a subdomain (csns.example.com) of the AD domain (example.com). Our AD 
domain controllers are NOT set up as DNS servers -- we have external, 
independent DNS servers for that. (Could that be part of the problem?) I am 
running bind on the IPA server (which is running RHEL6), because all the 
documentation was written that way. It is set up as a delegation subdomain of 
our main domain.

>From the IPA server, dig finds the AD domain controllers:

# dig SRV _ldap._tcp.example.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.1 <<>> SRV 
_ldap._tcp.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8858
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;_ldap._tcp.example.com.           IN           SRV

;; ANSWER SECTION:
_ldap._tcp.example.com. 600    IN           SRV        0 100 389 
dc1.example.com.
_ldap._tcp.example.com. 600    IN           SRV        0 100 389 
dc2.example.com.
_ldap._tcp.example.com. 600    IN           SRV        0 100 389 
dc3.example.com.
_ldap._tcp.example.com. 600    IN           SRV        0 100 389 
dc4.example.com.
_ldap._tcp.example.com. 600    IN           SRV        0 100 389 
dc5.example.com.
_ldap._tcp.example.com. 600    IN           SRV        0 100 389 
dc6.example.com.

;; AUTHORITY SECTION:
.                                               407417  IN           NS         
 b.root-servers.net.
.                                               407417  IN           NS         
 a.root-servers.net.
.                                               407417  IN           NS         
 h.root-servers.net.
.                                               407417  IN           NS         
 f.root-servers.net.
.                                               407417  IN           NS         
 m.root-servers.net.
.                                               407417  IN           NS         
 k.root-servers.net.
.                                               407417  IN           NS         
 l.root-servers.net.
.                                               407417  IN           NS         
 g.root-servers.net.
.                                               407417  IN           NS         
 e.root-servers.net.
.                                               407417  IN           NS         
 j.root-servers.net.
.                                               407417  IN           NS         
 i.root-servers.net.
.                                               407417  IN           NS         
 d.root-servers.net.
.                                               407417  IN           NS         
 c.root-servers.net.

;; Query time: 2 msec
;; SERVER: 140.233.1.7#53(140.233.1.7)
;; WHEN: Thu Feb  5 16:38:22 2015
;; MSG SIZE  rcvd: 503

And, with nslookup, I can do name lookups on the domain controllers and the DNS 
servers, and they all find the appropriate IP address. It all works the other 
way, too. From the domain controllers I can do nslookup on the IPA server. In 
fact, every nslookup or ping command I do on any hostname from anyway all works 
-- it's only the ipa trust-add command that's failing.

I've set log level to 100 in /usr/share/ipa/smb.conf.empty, and here's the 
output in /var/log/httpd/error_log:

lpcfg_load: refreshing parameters from /usr/share/ipa/smb.conf.empty
params.c:pm_process() - Processing configuration file 
"/usr/share/ipa/smb.conf.empty"
Processing section "[global]"
INFO: Current debug levels:
  all: 100
  tdb: 100
  printdrivers: 100
  lanman: 100
  smb: 100
  rpc_parse: 100
  rpc_srv: 100
  rpc_cli: 100
  passdb: 100
  sam: 100
  auth: 100
  winbind: 100
  vfs: 100
  idmap: 100
  quota: 100
  acls: 100
  locking: 100
  msdfs: 100
  dmapi: 100
  registry: 100
pm_process() returned Yes
Using binding ncacn_np:civet.csns.example.com[,]
tevent: Added timed event "dcerpc_connect_timeout_handler": 0x7f22f41eeb60
tevent: Added timed event "composite_trigger": 0x7f22f403d270
tevent: Added timed event "composite_trigger": 0x7f22f41efdc0
tevent: Running timer event 0x7f22f403d270 "composite_trigger"
tevent: Destroying timer event 0x7f22f41efdc0 "composite_trigger"
Mapped to DCERPC endpoint \pipe\lsarpc
added interface eth0 ip=140.233.1.7 bcast=140.233.1.255 netmask=255.255.255.0
added interface eth0 ip=140.233.1.7 bcast=140.233.1.255 netmask=255.255.255.0
tevent: Ending timer event 0x7f22f403d270 "composite_trigger"
tevent: Added timed event "connect_multi_timer": 0x7f22f4136d60
tevent: Schedule immediate event "tevent_req_trigger": 0x7f22f4137690
tevent: Run immediate event "tevent_req_trigger": 0x7f22f4137690
tevent: Destroying timer event 0x7f22f4136d60 "connect_multi_timer"
Socket options:
        SO_KEEPALIVE = 0
        SO_REUSEADDR = 0
        SO_BROADCAST = 0
        TCP_NODELAY = 1
        TCP_KEEPCNT = 9
        TCP_KEEPIDLE = 7200
        TCP_KEEPINTVL = 75
        IPTOS_LOWDELAY = 0
        IPTOS_THROUGHPUT = 0
        SO_REUSEPORT = 0
        SO_SNDBUF = 660150
        SO_RCVBUF = 174758
        SO_SNDLOWAT = 1
        SO_RCVLOWAT = 1
        SO_SNDTIMEO = 0
        SO_RCVTIMEO = 0
        TCP_QUICKACK = 1
        TCP_DEFER_ACCEPT = 0
tevent: Added timed event "tevent_req_timedout": 0x7f22f403f580
tevent: Schedule immediate event "tevent_queue_immediate_trigger": 
0x7f22f425aee0
tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f22f425aee0
tevent: Destroying timer event 0x7f22f403f580 "tevent_req_timedout"
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Ticket in credentials cache for ad...@csns.example.com will expire in 86371 secs
tevent: Added timed event "tevent_req_timedout": 0x7f22f42c2dd0
tevent: Schedule immediate event "tevent_queue_immediate_trigger": 
0x7f22f425aee0
tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f22f425aee0
tevent: Destroying timer event 0x7f22f42c2dd0 "tevent_req_timedout"
gensec_gssapi: NO credentials were delegated
GSSAPI Connection will be cryptographically sealed
tevent: Added timed event "tevent_req_timedout": 0x7f22f4041110
tevent: Schedule immediate event "tevent_queue_immediate_trigger": 
0x7f22f425aee0
tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f22f425aee0
tevent: Destroying timer event 0x7f22f4041110 "tevent_req_timedout"
tevent: Added timed event "tevent_req_timedout": 0x7f22f431dbd0
tevent: Schedule immediate event "tevent_queue_immediate_trigger": 
0x7f22f425aee0
tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f22f425aee0
tevent: Destroying timer event 0x7f22f431dbd0 "tevent_req_timedout"
tevent: Destroying timer event 0x7f22f41eeb60 "dcerpc_connect_timeout_handler"
[Thu Feb 05 16:50:18 2015] [error] ipa: INFO: ad...@csns.example.com: 
trust_add(u'example.com', trust_type=u'ad', range_size=200000, all=False, 
raw=False, version=u'2.49'): NotFound

What am I missing?

Thanks,

David Guertin
Information Technology Services
Middlebury College
Middlebury, VT 05753 USA


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to