On Tue, 14 Apr 2015, g.fer.or...@unicyber.co.uk wrote:

Dealing with AD --> Cert Trust I am reaching the following step:

ipa trust-add  ad.company.com  --admin <user>  --password
Active Directory domain administrator's password:
ipa: ERROR: AD DC was unable to reach any IPA domain controller. Most likely it is a DNS or firewall issue

Reaching this far I do not know what the issue is .. Nevertheless and before start playing around with the DNS further more....
The issue is what reported above -- at request of IPA DC to validate the
trust, AD DC tried to resolve IPA DC via SRV records and then tried to
contact its Samba instance on its own to complete validation of the
trust. Either step might fail, after which AD DC would report back to
IPA DC that it was unable to reach it.

This diagnostics wasn't added for nothing, you need to trust it. :)

if I run the following it seems to successfully establish the trust by the IPA side of the business

# ipa trust-add --type=ad "ad_domain" --trust-secret

So this part seems find by the look of it..
It works because it does not communicate with AD DCs here, only with
IPA's Samba instance.

I also had to manually add the AD host and the remote CIFS resource but I am getting instead:

ipa trust-fetch-domains corp.hootsuitemedia.com
ipa: ERROR: AD domain controller complains about communication sequence. It may mean unsynchronized time on both sides, for example
This doesn't work because AD DC did not complete the trust validation
and cannot trust IPA Kerberos tickets, thus refusing operation.
Unfortunately, reporting in SMB protocol is less than perfect so we only
are able to get guesses at what has happened.

In any case, running trust-fetch-domains makes no sense until you
complete validation.

And to complete validation you really need to fix issues with either DNS
or firewall so that AD DCs are capable to reach proper IPA DCs.

And all IPA DCs should be initialized with ipa-adtrust-install

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to