On Thu, 05 Feb 2015, Guertin, David S. wrote:
I'm trying to set up a trust between IPA and Active Directory, and it
keeps failing. The problem is the same as this one
(https://www.redhat.com/archives/freeipa-users/2014-April/msg00039.html),
but the solution is not. In that case, it was solved by enabling IPv6
in the kernel, and in this case IPv6 is already enabled.

Here's what happens:

# ipa trust-add --type=ad example.com
ipa: ERROR: Cannot find specified domain or server name

It looks like a DNS problem, and all the suggestions I've seen point to
DNS, but from everything I can see, DNS appears to be working. I have
the IPA domain set up as a subdomain (csns.example.com) of the AD
domain (example.com). Our AD domain controllers are NOT set up as DNS
servers -- we have external, independent DNS servers for that. (Could
that be part of the problem?) I am running bind on the IPA server
(which is running RHEL6), because all the documentation was written
that way. It is set up as a delegation subdomain of our main domain.
We don't require DNS to be tied to any specific party (IPA or AD), all
we require is that all proper service records (SRV) are in place.

For Active Directory cross-forest trusts to work, we need following
records to be in place:

_ldap._tcp.<DOMAIN>
_kerberos._udp.<DOMAIN>
_kerberos._tcp.<DOMAIN>
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.<DOMAIN>
_kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.<DOMAIN>
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.<DOMAIN>
_ldap._tcp.dc._msdcs.<DOMAIN>
_kerberos._udp.dc._msdcs.<DOMAIN>
_kerberos._tcp.dc._msdcs.<DOMAIN>

When you run ipa-adtrust-install, it will generate these records for IPA
domain but when we perform trust, Samba libraries resolve these in AD
domain too. Make sure they are properly configured.


From the IPA server, dig finds the AD domain controllers:

# dig SRV _ldap._tcp.example.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.1 <<>> SRV 
_ldap._tcp.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8858
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;_ldap._tcp.example.com.           IN           SRV

;; ANSWER SECTION:
_ldap._tcp.example.com. 600    IN           SRV        0 100 389 
dc1.example.com.
_ldap._tcp.example.com. 600    IN           SRV        0 100 389 
dc2.example.com.
_ldap._tcp.example.com. 600    IN           SRV        0 100 389 
dc3.example.com.
_ldap._tcp.example.com. 600    IN           SRV        0 100 389 
dc4.example.com.
_ldap._tcp.example.com. 600    IN           SRV        0 100 389 
dc5.example.com.
_ldap._tcp.example.com. 600    IN           SRV        0 100 389 
dc6.example.com.

;; AUTHORITY SECTION:
.                                               407417  IN           NS         
 b.root-servers.net.
.                                               407417  IN           NS         
 a.root-servers.net.
.                                               407417  IN           NS         
 h.root-servers.net.
.                                               407417  IN           NS         
 f.root-servers.net.
.                                               407417  IN           NS         
 m.root-servers.net.
.                                               407417  IN           NS         
 k.root-servers.net.
.                                               407417  IN           NS         
 l.root-servers.net.
.                                               407417  IN           NS         
 g.root-servers.net.
.                                               407417  IN           NS         
 e.root-servers.net.
.                                               407417  IN           NS         
 j.root-servers.net.
.                                               407417  IN           NS         
 i.root-servers.net.
.                                               407417  IN           NS         
 d.root-servers.net.
.                                               407417  IN           NS         
 c.root-servers.net.

;; Query time: 2 msec
;; SERVER: 140.233.1.7#53(140.233.1.7)
;; WHEN: Thu Feb  5 16:38:22 2015
;; MSG SIZE  rcvd: 503

And, with nslookup, I can do name lookups on the domain controllers and
the DNS servers, and they all find the appropriate IP address. It all
works the other way, too. From the domain controllers I can do nslookup
on the IPA server. In fact, every nslookup or ping command I do on any
hostname from anyway all works -- it's only the ipa trust-add command
that's failing.

I've set log level to 100 in /usr/share/ipa/smb.conf.empty, and here's the 
output in /var/log/httpd/error_log:

lpcfg_load: refreshing parameters from /usr/share/ipa/smb.conf.empty
params.c:pm_process() - Processing configuration file 
"/usr/share/ipa/smb.conf.empty"
Processing section "[global]"
INFO: Current debug levels:
 all: 100
 tdb: 100
 printdrivers: 100
 lanman: 100
 smb: 100
 rpc_parse: 100
 rpc_srv: 100
 rpc_cli: 100
 passdb: 100
 sam: 100
 auth: 100
 winbind: 100
 vfs: 100
 idmap: 100
 quota: 100
 acls: 100
 locking: 100
 msdfs: 100
 dmapi: 100
 registry: 100
pm_process() returned Yes
Using binding ncacn_np:civet.csns.example.com[,]
tevent: Added timed event "dcerpc_connect_timeout_handler": 0x7f22f41eeb60
tevent: Added timed event "composite_trigger": 0x7f22f403d270
tevent: Added timed event "composite_trigger": 0x7f22f41efdc0
tevent: Running timer event 0x7f22f403d270 "composite_trigger"
tevent: Destroying timer event 0x7f22f41efdc0 "composite_trigger"
Mapped to DCERPC endpoint \pipe\lsarpc
added interface eth0 ip=140.233.1.7 bcast=140.233.1.255 netmask=255.255.255.0
added interface eth0 ip=140.233.1.7 bcast=140.233.1.255 netmask=255.255.255.0
tevent: Ending timer event 0x7f22f403d270 "composite_trigger"
tevent: Added timed event "connect_multi_timer": 0x7f22f4136d60
tevent: Schedule immediate event "tevent_req_trigger": 0x7f22f4137690
tevent: Run immediate event "tevent_req_trigger": 0x7f22f4137690
tevent: Destroying timer event 0x7f22f4136d60 "connect_multi_timer"
Socket options:
       SO_KEEPALIVE = 0
       SO_REUSEADDR = 0
       SO_BROADCAST = 0
       TCP_NODELAY = 1
       TCP_KEEPCNT = 9
       TCP_KEEPIDLE = 7200
       TCP_KEEPINTVL = 75
       IPTOS_LOWDELAY = 0
       IPTOS_THROUGHPUT = 0
       SO_REUSEPORT = 0
       SO_SNDBUF = 660150
       SO_RCVBUF = 174758
       SO_SNDLOWAT = 1
       SO_RCVLOWAT = 1
       SO_SNDTIMEO = 0
       SO_RCVTIMEO = 0
       TCP_QUICKACK = 1
       TCP_DEFER_ACCEPT = 0
tevent: Added timed event "tevent_req_timedout": 0x7f22f403f580
tevent: Schedule immediate event "tevent_queue_immediate_trigger": 
0x7f22f425aee0
tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f22f425aee0
tevent: Destroying timer event 0x7f22f403f580 "tevent_req_timedout"
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Ticket in credentials cache for ad...@csns.example.com will expire in 86371 secs
tevent: Added timed event "tevent_req_timedout": 0x7f22f42c2dd0
tevent: Schedule immediate event "tevent_queue_immediate_trigger": 
0x7f22f425aee0
tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f22f425aee0
tevent: Destroying timer event 0x7f22f42c2dd0 "tevent_req_timedout"
gensec_gssapi: NO credentials were delegated
GSSAPI Connection will be cryptographically sealed
tevent: Added timed event "tevent_req_timedout": 0x7f22f4041110
tevent: Schedule immediate event "tevent_queue_immediate_trigger": 
0x7f22f425aee0
tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f22f425aee0
tevent: Destroying timer event 0x7f22f4041110 "tevent_req_timedout"
tevent: Added timed event "tevent_req_timedout": 0x7f22f431dbd0
tevent: Schedule immediate event "tevent_queue_immediate_trigger": 
0x7f22f425aee0
tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f22f425aee0
tevent: Destroying timer event 0x7f22f431dbd0 "tevent_req_timedout"
tevent: Destroying timer event 0x7f22f41eeb60 "dcerpc_connect_timeout_handler"
[Thu Feb 05 16:50:18 2015] [error] ipa: INFO: ad...@csns.example.com: 
trust_add(u'example.com', trust_type=u'ad', range_size=200000, all=False, 
raw=False, version=u'2.49'): NotFound
I can see that we initialized the connection to local Samba
(civet.csns.example.com). The next step is to initialize connection to
AD side and that one fails -- exactly because it is unable to pick up
a domain controller from the mcdcs-specific SRV records.


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to