On Fri, 27 Feb 2015, mete bilgin wrote:
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Ticket in credentials cache for @IPDOMAIN will expire in 86400 secs
GSS client Update(krb5)(1) Update failed: Unspecified GSS failure.  Minor
code may provide more information: KDC policy rejects request

This means your trust is not working. How did you established trust?
Show exact commands.

"KDC policy rejects request" means AD DC was unable to complete trust
validation. Usually it means it was unable to talk back to IPA master
which it discovers via SRV records over DNS.
--
/ Alexander Bokovoy



Hi,

When i add the turs return this.

[root@ipa01 ~]# ipa trust-add  --type=ad --admin admin --password
Realm name: addomain.com
Active directory domain administrator's password:
-------------------------------------------
Re-established trust to domain "ADDOMAIN.COM"
-------------------------------------------
 Realm name: ADDOMAIN.COM
 Domain NetBIOS name: ADDOMAIN
 Domain Security Identifier: S-1-5-21-1343024091-2000478354-725345543
 SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2,
S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10,
S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15,
                         S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
 SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2,
S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10,
S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15,
                         S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
 Trust direction: Two-way trust
 Trust type: Active Directory domain
 Trust status: Established and verified
Ok, and did you run that with debug enabled in smb.conf.empty? Can you
give us /var/log/httpd/error_log for this run?

In 4.x we fixed the part that mistakenly reports trust is 'established
and verified' when it actually wasn't, but before that we need to see
the debug logs to know the reason.

There are only two (external) reasons:
1. AD DC was unable to resolve IPA DC via DNS query for SRV records for
Kerberos and LDAP.
2. AD DC was unable to reach IPA DC due to misconfigured firewall.


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to