On Wed, 04 Mar 2015, Ben .T.George wrote:
HI

i have re-installed IPA with latest 4.1 version.

installed packages by using
https://copr.fedoraproject.org/coprs/mkosek/freeipa/ repos

# ipa-server-install went successfully without any error an it says the
same on log files

*[root@kwtpocpbis01 ~]# kinit admin*
*Password for admin@SOLIPA.LOCAL:*
*[root@kwtpocpbis01 ~]# klist*
*Ticket cache: KEYRING:persistent:0:0*
*Default principal: admin@SOLIPA.LOCAL*

*Valid starting       Expires              Service principal*
*03/04/2015 08:36:55  03/05/2015 08:36:51  krbtgt/SOLIPA.LOCAL@SOLIPA.LOCAL*
*[root@kwtpocpbis01 ~]# geten*
*getenforce  getent*
*[root@kwtpocpbis01 ~]# getent passwd admin*
*admin:*:4400000:4400000:Administrator:/home/admin:/bin/bash*


*# ipa-adtrust-install --netbios-name=SOLIPA -a Passw0rd* also successfully
went .

DNS is working fine as expected.

*[root@kwtpocpbis01 ~]# dig SRV _ldap._tcp.kwttestdc.com
<http://tcp.kwttestdc.com>*

*; <<>> DiG 9.9.4-RedHat-9.9.4-20.el7.centos.pkcs11 <<>> SRV
_ldap._tcp.kwttestdc.com <http://tcp.kwttestdc.com>*
*;; global options: +cmd*
*;; Got answer:*
*;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26944*
*;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2*

*;; OPT PSEUDOSECTION:*
*; EDNS: version: 0, flags:; udp: 4000*
*;; QUESTION SECTION:*
*;_ldap._tcp.kwttestdc.com <http://tcp.kwttestdc.com>.      IN      SRV*

*;; ANSWER SECTION:*
*_ldap._tcp.kwttestdc.com <http://tcp.kwttestdc.com>. 600   IN      SRV
0 100 389 kwttestdc001.kwttestdc.com <http://kwttestdc001.kwttestdc.com>.*

*;; ADDITIONAL SECTION:*
*kwttestdc001.kwttestdc.com <http://kwttestdc001.kwttestdc.com>. 3600 IN
 A       172.16.104.231*

*;; Query time: 0 msec*
*;; SERVER: 172.16.104.231#53(172.16.104.231)*
*;; WHEN: Wed Mar 04 08:41:26 AST 2015*
*;; MSG SIZE  rcvd: 115*

*[root@kwtpocpbis01 ~]# dig SRV _ldap._tcp.solipa.local*

*; <<>> DiG 9.9.4-RedHat-9.9.4-20.el7.centos.pkcs11 <<>> SRV
_ldap._tcp.solipa.local*
*;; global options: +cmd*
*;; Got answer:*
*;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6196*
*;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2*

*;; OPT PSEUDOSECTION:*
*; EDNS: version: 0, flags:; udp: 4000*
*;; QUESTION SECTION:*
*;_ldap._tcp.solipa.local.       IN      SRV*

*;; ANSWER SECTION:*
*_ldap._tcp.solipa.local. 11944  IN      SRV     0 100 389
kwtpocpbis01.solipa.local.*

*;; ADDITIONAL SECTION:*
*kwtpocpbis01.solipa.local. 1200 IN      A       172.16.107.244*

*;; Query time: 2 msec*
*;; SERVER: 172.16.104.231#53(172.16.104.231)*
*;; WHEN: Wed Mar 04 08:41:34 AST 2015*
*;; MSG SIZE  rcvd: 113*

But when i try to trust add AD, i am getting error

[root@kwtpocpbis01 ~]# ipa trust-add --type=ad kwttestdc.com --admin
adm-ben.george --password
Active Directory domain administrator's password:
ipa: ERROR: AD DC was unable to reach any IPA domain controller. Most
likely it is a DNS or firewall issue

I checked from firewall status on both IPA and AD, and it was in off state.
You really need to find out what is wrong between AD and IPA. The
message above is based on what AD DC reports back to IPA when it tried
to validate the trust and was not able to contact IPA DCs.

We cannot influence ourselves this part, as AD DC uses SRV records in
DNS to find out which domain controller to contact and if it fails to
contact us for any reason (firewall, DNS is broken from AD DC
perspective, routing brings it to a different IP address, etc), it will
complain like that and never proceed.

You may try to run tcpdump or wireshark and see what happens on the
network at the time of 'ipa trust-add', specifically, whom AD DC is
talking to and where it takes a DNS record.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to