I'm trying to set up a trust between IPA and Active Directory, and it keeps failing. The problem is the same as this one (https://www.redhat.com/archives/freeipa-users/2014-April/msg00039.html), but the solution is not. In that case, it was solved by enabling IPv6 in the kernel, and in this case IPv6 is already enabled.
Here's what happens: # ipa trust-add --type=ad example.com ipa: ERROR: Cannot find specified domain or server name It looks like a DNS problem, and all the suggestions I've seen point to DNS, but from everything I can see, DNS appears to be working. I have the IPA domain set up as a subdomain (csns.example.com) of the AD domain (example.com). Our AD domain controllers are NOT set up as DNS servers -- we have external, independent DNS servers for that. (Could that be part of the problem?) I am running bind on the IPA server (which is running RHEL6), because all the documentation was written that way. It is set up as a delegation subdomain of our main domain. >From the IPA server, dig finds the AD domain controllers: # dig SRV _ldap._tcp.example.com ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.1 <<>> SRV _ldap._tcp.example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8858 ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 13, ADDITIONAL: 0 ;; QUESTION SECTION: ;_ldap._tcp.example.com. IN SRV ;; ANSWER SECTION: _ldap._tcp.example.com. 600 IN SRV 0 100 389 dc1.example.com. _ldap._tcp.example.com. 600 IN SRV 0 100 389 dc2.example.com. _ldap._tcp.example.com. 600 IN SRV 0 100 389 dc3.example.com. _ldap._tcp.example.com. 600 IN SRV 0 100 389 dc4.example.com. _ldap._tcp.example.com. 600 IN SRV 0 100 389 dc5.example.com. _ldap._tcp.example.com. 600 IN SRV 0 100 389 dc6.example.com. ;; AUTHORITY SECTION: . 407417 IN NS b.root-servers.net. . 407417 IN NS a.root-servers.net. . 407417 IN NS h.root-servers.net. . 407417 IN NS f.root-servers.net. . 407417 IN NS m.root-servers.net. . 407417 IN NS k.root-servers.net. . 407417 IN NS l.root-servers.net. . 407417 IN NS g.root-servers.net. . 407417 IN NS e.root-servers.net. . 407417 IN NS j.root-servers.net. . 407417 IN NS i.root-servers.net. . 407417 IN NS d.root-servers.net. . 407417 IN NS c.root-servers.net. ;; Query time: 2 msec ;; SERVER: 140.233.1.7#53(140.233.1.7) ;; WHEN: Thu Feb 5 16:38:22 2015 ;; MSG SIZE rcvd: 503 And, with nslookup, I can do name lookups on the domain controllers and the DNS servers, and they all find the appropriate IP address. It all works the other way, too. From the domain controllers I can do nslookup on the IPA server. In fact, every nslookup or ping command I do on any hostname from anyway all works -- it's only the ipa trust-add command that's failing. I've set log level to 100 in /usr/share/ipa/smb.conf.empty, and here's the output in /var/log/httpd/error_log: lpcfg_load: refreshing parameters from /usr/share/ipa/smb.conf.empty params.c:pm_process() - Processing configuration file "/usr/share/ipa/smb.conf.empty" Processing section "[global]" INFO: Current debug levels: all: 100 tdb: 100 printdrivers: 100 lanman: 100 smb: 100 rpc_parse: 100 rpc_srv: 100 rpc_cli: 100 passdb: 100 sam: 100 auth: 100 winbind: 100 vfs: 100 idmap: 100 quota: 100 acls: 100 locking: 100 msdfs: 100 dmapi: 100 registry: 100 pm_process() returned Yes Using binding ncacn_np:civet.csns.example.com[,] tevent: Added timed event "dcerpc_connect_timeout_handler": 0x7f22f41eeb60 tevent: Added timed event "composite_trigger": 0x7f22f403d270 tevent: Added timed event "composite_trigger": 0x7f22f41efdc0 tevent: Running timer event 0x7f22f403d270 "composite_trigger" tevent: Destroying timer event 0x7f22f41efdc0 "composite_trigger" Mapped to DCERPC endpoint \pipe\lsarpc added interface eth0 ip=140.233.1.7 bcast=140.233.1.255 netmask=255.255.255.0 added interface eth0 ip=140.233.1.7 bcast=140.233.1.255 netmask=255.255.255.0 tevent: Ending timer event 0x7f22f403d270 "composite_trigger" tevent: Added timed event "connect_multi_timer": 0x7f22f4136d60 tevent: Schedule immediate event "tevent_req_trigger": 0x7f22f4137690 tevent: Run immediate event "tevent_req_trigger": 0x7f22f4137690 tevent: Destroying timer event 0x7f22f4136d60 "connect_multi_timer" Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 0 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_REUSEPORT = 0 SO_SNDBUF = 660150 SO_RCVBUF = 174758 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 TCP_DEFER_ACCEPT = 0 tevent: Added timed event "tevent_req_timedout": 0x7f22f403f580 tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7f22f425aee0 tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f22f425aee0 tevent: Destroying timer event 0x7f22f403f580 "tevent_req_timedout" Starting GENSEC mechanism spnego Starting GENSEC submechanism gssapi_krb5 Ticket in credentials cache for ad...@csns.example.com will expire in 86371 secs tevent: Added timed event "tevent_req_timedout": 0x7f22f42c2dd0 tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7f22f425aee0 tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f22f425aee0 tevent: Destroying timer event 0x7f22f42c2dd0 "tevent_req_timedout" gensec_gssapi: NO credentials were delegated GSSAPI Connection will be cryptographically sealed tevent: Added timed event "tevent_req_timedout": 0x7f22f4041110 tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7f22f425aee0 tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f22f425aee0 tevent: Destroying timer event 0x7f22f4041110 "tevent_req_timedout" tevent: Added timed event "tevent_req_timedout": 0x7f22f431dbd0 tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7f22f425aee0 tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f22f425aee0 tevent: Destroying timer event 0x7f22f431dbd0 "tevent_req_timedout" tevent: Destroying timer event 0x7f22f41eeb60 "dcerpc_connect_timeout_handler" [Thu Feb 05 16:50:18 2015] [error] ipa: INFO: ad...@csns.example.com: trust_add(u'example.com', trust_type=u'ad', range_size=200000, all=False, raw=False, version=u'2.49'): NotFound What am I missing? Thanks, David Guertin Information Technology Services Middlebury College Middlebury, VT 05753 USA
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project