HI When i checked on IPA web panel, i can able to see my AD under trusted even though i got error while adding . ipa trust-add
also *[root@kwtpocpbis01 ~]# ipa trustdomain-find "kwttestdc.com <http://kwttestdc.com>"* * Domain name: kwttestdc.com <http://kwttestdc.com>* * Domain NetBIOS name: KWTTESTDC* * Domain Security Identifier: S-1-5-21-3321666283-4099738591-2270060621* * Domain enabled: True* *----------------------------* *Number of entries returned 1* *----------------------------* *[root@kwtpocpbis01 ~]# ipa trust-fetch-domains "kwttestdc.com <http://kwttestdc.com>"* *ipa: ERROR: AD domain controller complains about communication sequence. It may mean unsynchronized time on both sides, for example* This is the the same story happend with IPA 3.3 before Regards, Ben On Wed, Mar 4, 2015 at 9:06 AM, Ben .T.George <bentech4...@gmail.com> wrote: > HI > > i have re-installed IPA with latest 4.1 version. > > installed packages by using > https://copr.fedoraproject.org/coprs/mkosek/freeipa/ repos > > # ipa-server-install went successfully without any error an it says the > same on log files > > *[root@kwtpocpbis01 ~]# kinit admin* > *Password for admin@SOLIPA.LOCAL:* > *[root@kwtpocpbis01 ~]# klist* > *Ticket cache: KEYRING:persistent:0:0* > *Default principal: admin@SOLIPA.LOCAL* > > *Valid starting Expires Service principal* > *03/04/2015 08:36:55 03/05/2015 08:36:51 > krbtgt/SOLIPA.LOCAL@SOLIPA.LOCAL* > *[root@kwtpocpbis01 ~]# geten* > *getenforce getent* > *[root@kwtpocpbis01 ~]# getent passwd admin* > *admin:*:4400000:4400000:Administrator:/home/admin:/bin/bash* > > > *# ipa-adtrust-install --netbios-name=SOLIPA -a Passw0rd* also > successfully went . > > DNS is working fine as expected. > > *[root@kwtpocpbis01 ~]# dig SRV _ldap._tcp.kwttestdc.com > <http://tcp.kwttestdc.com>* > > *; <<>> DiG 9.9.4-RedHat-9.9.4-20.el7.centos.pkcs11 <<>> SRV > _ldap._tcp.kwttestdc.com <http://tcp.kwttestdc.com>* > *;; global options: +cmd* > *;; Got answer:* > *;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26944* > *;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2* > > *;; OPT PSEUDOSECTION:* > *; EDNS: version: 0, flags:; udp: 4000* > *;; QUESTION SECTION:* > *;_ldap._tcp.kwttestdc.com <http://tcp.kwttestdc.com>. IN SRV* > > *;; ANSWER SECTION:* > *_ldap._tcp.kwttestdc.com <http://tcp.kwttestdc.com>. 600 IN SRV > 0 100 389 kwttestdc001.kwttestdc.com <http://kwttestdc001.kwttestdc.com>.* > > *;; ADDITIONAL SECTION:* > *kwttestdc001.kwttestdc.com <http://kwttestdc001.kwttestdc.com>. 3600 IN > A 172.16.104.231* > > *;; Query time: 0 msec* > *;; SERVER: 172.16.104.231#53(172.16.104.231)* > *;; WHEN: Wed Mar 04 08:41:26 AST 2015* > *;; MSG SIZE rcvd: 115* > > *[root@kwtpocpbis01 ~]# dig SRV _ldap._tcp.solipa.local* > > *; <<>> DiG 9.9.4-RedHat-9.9.4-20.el7.centos.pkcs11 <<>> SRV > _ldap._tcp.solipa.local* > *;; global options: +cmd* > *;; Got answer:* > *;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6196* > *;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2* > > *;; OPT PSEUDOSECTION:* > *; EDNS: version: 0, flags:; udp: 4000* > *;; QUESTION SECTION:* > *;_ldap._tcp.solipa.local. IN SRV* > > *;; ANSWER SECTION:* > *_ldap._tcp.solipa.local. 11944 IN SRV 0 100 389 > kwtpocpbis01.solipa.local.* > > *;; ADDITIONAL SECTION:* > *kwtpocpbis01.solipa.local. 1200 IN A 172.16.107.244* > > *;; Query time: 2 msec* > *;; SERVER: 172.16.104.231#53(172.16.104.231)* > *;; WHEN: Wed Mar 04 08:41:34 AST 2015* > *;; MSG SIZE rcvd: 113* > > But when i try to trust add AD, i am getting error > > [root@kwtpocpbis01 ~]# ipa trust-add --type=ad kwttestdc.com --admin > adm-ben.george --password > Active Directory domain administrator's password: > ipa: ERROR: AD DC was unable to reach any IPA domain controller. Most > likely it is a DNS or firewall issue > > I checked from firewall status on both IPA and AD, and it was in off > state. > > below is the error i got on httpd/error_log while trying AD trust > > *[Wed Mar 04 08:50:30.784320 2015] [:error] [pid 6138] ipa: INFO: > [jsonserver_session] admin@SOLIPA.LOCAL: trust_add(u'kwttestdc.com > <http://kwttestdc.com>', trust_type=u'ad', realm_admin=u'adm-ben.george', > realm_passwd=u'********', all=False, raw=False, version=u'2.113'): > RemoteRetrieveError* > > and i have enable debugging on SM, here attaching logs from samba > > LOGS can be downloaded from here also : > https://app.box.com/s/6bx9cgozjyb8h96wx7j6ovvz9w8cp4yl > > how can i fix this issue? > > Thanks & Regards, > Ben > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project