On 03/20/2015 09:59 PM, McEvoy, James wrote:
> Hi FreeIPA Users:
>
> I can only get my new Fedora 21 freeipa to server to setup a trust with
> Active Directory if I turn off the firewall on the ipa server. I have
> looked through all the doc on which ports to open but have had no luck
> getting the join to work with firewalld running... Can someone tell me what
> firewalld is blocking on me?
>
> --jim
>
> These are my open services:
>
> # firewall-cmd --zone=public --list-all
> public (default)
> interfaces:
> sources:
> services: dhcpv6-client dns freeipa-ldap freeipa-ldaps http https
> kerberos kpasswd ldap ldaps mdns ntp samba ssh
> ports:
> masquerade: no
> forward-ports:
> icmp-blocks:
>
> [root@ipa ~]# ipa trust-add ENAS.NET --type=ad --admin=Administrator
> --password
> Active Directory domain administrator's password:
> ipa: ERROR: AD DC was unable to reach any IPA domain controller. Most likely
> it is a DNS or firewall issue
>
> As soon as I turn off the firewall it works:
>
> [root@ipa ~]# systemctl stop firewalld
> [root@ipa ~]# ipa trust-add ENAS.NET --type=ad --admin=Administrator
> --password
> Active Directory domain administrator's password:
> -----------------------------------------
> Re-established trust to domain "enas.net"
> -----------------------------------------
> Realm name: enas.net
> Domain NetBIOS name: ENAS
> Domain Security Identifier: S-1-5-21-1497210546-3194758708-3931123408
> SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7,
> S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8,
> S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13,
> S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2,
> S-1-1, S-1-0, S-1-5-19, S-1-5-18
> SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7,
> S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8,
> S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13,
> S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2,
> S-1-1, S-1-0, S-1-5-19, S-1-5-18
> Trust direction: Two-way trust
> Trust type: Active Directory domain
> Trust status: Established and verified
>
>
> The only error the I have found is in the samba logs where lsasd has the
> following:
>
> [2015/03/19 18:19:22.792043, 1] ipa_sam.c:1671(search_krb_princ)
> get_trusted_domain_int: no object found with filter
> 'krbPrincipalName=krbtgt/enas....@lnx.lab'.
> [2015/03/19 18:19:23.080328, 1] ipa_sam.c:1671(search_krb_princ)
> get_trusted_domain_int: no object found with filter
> 'krbPrincipalName=krbtgt/lnx....@enas.net'.
>
>
> and winbindd-imap has this in it:
>
> [2015/03/20 14:21:14.966125, 1]
> ../source3/winbindd/idmap.c:202(idmap_init_domain)
> idmap range not specified for domain *
> [2015/03/20 14:21:14.968671, 1]
> ../source3/winbindd/idmap.c:202(idmap_init_domain)
> idmap range not specified for domain *
>
>
>
This is the list
You must make sure these network ports are open:
TCP Ports:
* 138: netbios-dgm
* 139: netbios-ssn
* 445: microsoft-ds
UDP Ports:
* 138: netbios-dgm
* 139: netbios-ssn
* 389: (C)LDAP
* 445: microsoft-ds
Additionally you have to make sure the FreeIPA LDAP server is not reachable
by any domain controller in the Active Directory domain by closing down
the following ports for these servers:
TCP Ports:
* 389, 636: LDAP/LDAPS
I do not think you have configured all of those. You can find more info on our
wiki:
http://www.freeipa.org/page/Active_Directory_trust_setup#Firewall_configuration
Martin
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
