Hey all, I’m having a problem with integrating a FreeIPA4 infrastructure to an
AD environment.
AD Domain is fioptics.int
FreeIPA infrastructure is preprod.fioptics.int
The AD Controller in this environment is at 10.32.145.134
The FreeIPA 4 server is at 10.32.146.40
I’m attaching the procedure that I’m using below for review. Everything works
perfectly, even the DNS testing, up until I run the command to initiate the
trust. Then it ALWAYS c comes back with unable to find server. The DNS tests
I’ve done from AD and from IPA are also listed below.
This procedure works flawlessly in the virtual test environment every time.
There are NO firewalls between the IPA box and the AD box. Software firewalls
on both boxes are down. Selinux is disabled. The only differences are 1. They
are on different subnets but I don’t see how that should matter, and 2. There
is a load balancer between them, but again DNS resolves and a nmap shows all
the necessary ports are available.
If anyone has any advice it would be greatly appreciated. I have to get this
working asap for the deployment of the project.
Thanks in advance.
—————————
DNS Results
—————————
Active Directory —
Server: ppad01.fioptics.int
Address: 10.32.145.134
_ldap._tcp.fioptics.int SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = mtad01.fioptics.int
_ldap._tcp.fioptics.int SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = ppad01.fioptics.int
_ldap._tcp.fioptics.int SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = p1ad01.fioptics.int
_ldap._tcp.fioptics.int SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = mtad02.fioptics.int
_ldap._tcp.fioptics.int SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = stad01.fioptics.int
mtad01.fioptics.int internet address = 10.32.162.182
ppad01.fioptics.int internet address = 10.32.145.134
p1ad01.fioptics.int internet address = 10.32.129.134
mtad02.fioptics.int internet address = 10.32.130.182
stad01.fioptics.int internet address = 10.32.161.134
> _ldap._tcp.preprod.fioptics.int
Server: ppad01.fioptics.int
Address: 10.32.145.134
Non-authoritative answer:
_ldap._tcp.preprod.fioptics.int SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = ppip01.preprod.fioptics.int
_ldap._tcp.preprod.fioptics.int SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = ppip02.preprod.fioptics.int
ppip01.preprod.fioptics.int internet address = 10.32.146.40
ppip01.preprod.fioptics.int internet address = 10.32.146.40
>
————
FreeIPA
————
[root@ppip01 ~]# dig srv _ldap._tcp.fioptics.int
; <<>> DiG 9.9.4-RedHat-9.9.4-20.el7.centos.pkcs11 <<>> srv
_ldap._tcp.fioptics.int
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26858
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 13, ADDITIONAL: 6
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_ldap._tcp.fioptics.int. IN SRV
;; ANSWER SECTION:
_ldap._tcp.fioptics.int. 600 IN SRV 0 100 389 p1ad01.fioptics.int.
_ldap._tcp.fioptics.int. 600 IN SRV 0 100 389 stad01.fioptics.int.
_ldap._tcp.fioptics.int. 600 IN SRV 0 100 389 ppad01.fioptics.int.
_ldap._tcp.fioptics.int. 600 IN SRV 0 100 389 mtad02.fioptics.int.
_ldap._tcp.fioptics.int. 600 IN SRV 0 100 389 mtad01.fioptics.int.
;; AUTHORITY SECTION:
. 11558 IN NS g.root-servers.net.
. 11558 IN NS e.root-servers.net.
. 11558 IN NS i.root-servers.net.
. 11558 IN NS f.root-servers.net.
. 11558 IN NS a.root-servers.net.
. 11558 IN NS c.root-servers.net.
. 11558 IN NS j.root-servers.net.
. 11558 IN NS k.root-servers.net.
. 11558 IN NS h.root-servers.net.
. 11558 IN NS l.root-servers.net.
. 11558 IN NS d.root-servers.net.
. 11558 IN NS b.root-servers.net.
. 11558 IN NS m.root-servers.net.
;; ADDITIONAL SECTION:
ppad01.fioptics.int. 3057 IN A 10.32.145.134
p1ad01.fioptics.int. 3600 IN A 10.32.129.134
mtad02.fioptics.int. 3600 IN A 10.32.130.182
stad01.fioptics.int. 3600 IN A 10.32.161.134
mtad01.fioptics.int. 3600 IN A 10.32.162.182
;; Query time: 1 msec
;; SERVER: 10.32.146.40#53(10.32.146.40)
;; WHEN: Tue Apr 07 09:56:29 EDT 2015
;; MSG SIZE rcvd: 538
[root@ppip01 ~]# dig srv _ldap._tcp.preprod.fioptics.int
; <<>> DiG 9.9.4-RedHat-9.9.4-20.el7.centos.pkcs11 <<>> srv
_ldap._tcp.preprod.fioptics.int
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28466
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_ldap._tcp.preprod.fioptics.int. IN SRV
;; ANSWER SECTION:
_ldap._tcp.preprod.fioptics.int. 86400 IN SRV 0 100 389
ppip02.preprod.fioptics.int.
_ldap._tcp.preprod.fioptics.int. 86400 IN SRV 0 100 389
ppip01.preprod.fioptics.int.
;; AUTHORITY SECTION:
preprod.fioptics.int. 86400 IN NS ppip02.preprod.fioptics.int.
preprod.fioptics.int. 86400 IN NS ppip01.preprod.fioptics.int.
;; ADDITIONAL SECTION:
ppip01.preprod.fioptics.int. 1200 IN A 10.32.146.40
ppip02.preprod.fioptics.int. 1200 IN A 10.32.146.41
;; Query time: 0 msec
;; SERVER: 10.32.146.40#53(10.32.146.40)
;; WHEN: Tue Apr 07 09:56:44 EDT 2015
;; MSG SIZE rcvd: 214
[root@ppip01 ~]#
————————————————————
Error Message
————————————————————
[root@ppip01 ~]# ipa trust-add --type=ad fioptics.int
--server=ppad01.fioptics.int --admin serviceipa --password
Active Directory domain administrator's password:
ipa: ERROR: Cannot find specified domain or server name
[root@ppip01 ~]#
* Note - I have tried this with the Administrator account and that didn’t work
either.
Regards,
------------------------------------------
Aric Wilisch
[email protected]
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
