On 3/18/15, 9:48 AM, "Alexander Bokovoy" <aboko...@redhat.com> wrote:

>On Wed, 18 Mar 2015, Gould, Joshua wrote:
>>On 3/18/15, 4:28 AM, "Alexander Bokovoy" <aboko...@redhat.com> wrote:
>>>On Wed, 18 Mar 2015, Gould, Joshua wrote:
>>>>I¹ll be happy to remove the AD section from the sssd.conf file and test
>>>>but I think there¹s more going on. The AD section was generated from
>>>>IPA client install. I never manually added anything other than ³pac² to
>>>>the services line under the [sssd] section and the two ldap_idmap_range
>>>Show your /var/log/ipaclient-install.log. ipa-client-install has no
>>>support to generate sections for AD at all.
>>I think then it would have to be the “ipa trust-add” command which
>>generates those sections then? The command that I used was:
>No, it is not. We don't have *any* code that could have generated that
>section in FreeIPA.

Since we’re still in the test phase, I can fairly easily set things up
again. It will help me to improve my own documentation for how things are
setup in test and how I can set things up in production. When I do that, I
can look at the sssd.conf after each step and see where it gets modified
and let you know. Like I said, I never created the domain section, but I
did add the debugging statement, the range options and the option for pac.

>># ipa trust-add --type=ad TEST.OSUWMC ―-admin=farus ―password
>>Active Directory domain administrator's password:
>>ipa: ERROR: AD DC was unable to reach any IPA domain controller. Most
>>likely it is a DNS or firewall issue
>>The trust was created even with that error message and seems to work.
>Do you get something like
>$ kdestroy -A
>$ kinit admin
>$ kvno -S cifs <hostname of AD DC>
>$ klist -ef

All of those work even with the error when initially creating the trust.
We basically treated the error as cosmetic since everything else seems to

[goul09@mid-ipa-vp01 ~]$ kdestroy
kdestroy: No credentials cache found while destroying cache
[goul09@mid-ipa-vp01 ~]$ kinit admin
Password for ad...@unix.test.OSUWMC:
[goul09@mid-ipa-vp01 ~]$ kvno -S cifs svr-addc-vt01.test.osuwmc
cifs/svr-addc-vt01.test.osuwmc@TEST.OSUWMC: kvno = 16
[goul09@mid-ipa-vp01 ~]$ klist -ef
Ticket cache: FILE:/tmp/krb5cc_998
Default principal: ad...@unix.test.OSUWMC

Valid starting       Expires              Service principal
03/18/2015 10:15:28  03/19/2015 10:15:25
        Flags: FIA, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
03/18/2015 10:16:08  03/19/2015 10:15:25
        Flags: FAT, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
03/18/2015 10:15:46  03/18/2015 20:15:46
        Flags: FA, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
[goul09@mid-ipa-vp01 ~]$

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to