Hi Alexander

I do trust the diagnostics and I thank you so much for that explanation as I know now now a bit better what to expect or for the less what is the sequence it follows.

This does not seem to be a port issue (below windows):
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
111/tcp   open  rpcbind
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
3389/tcp  open  ms-wbt-server

And after executing the command:
ipa trust-add --type=ad ad_domain.company.com --admin ad_user --password

I get :
s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fbb7c00f170
s4_tevent: Added timed event "dcerpc_timeout_handler": 0x7fbb7c0a1910
s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fbb7c00f170
s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fbb7c00f170
num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=112, this_data=112, max_data=4280, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0
s4_tevent: Added timed event "tevent_req_timedout": 0x7fbb7c434b10
smb_signing_md5: sequence number 8
smb_signing_sign_pdu: sent SMB signature of
[0000] 4E 30 9B AA AD 9D FA E9                            N0......
s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7fbb7c3179d0
s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fbb7c00f170
s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7fbb7c3179d0
smb_signing_md5: sequence number 9
smb_signing_check_pdu: seq 9: got good SMB signature of
[0000] 34 AA E5 B9 B4 BB AD 3D                            4......=
s4_tevent: Destroying timer event 0x7fbb7c434b10 "tevent_req_timedout"
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fbb7c532dd0
s4_tevent: Run immediate event "tevent_req_trigger": 0x7fbb7c532dd0
s4_tevent: Destroying timer event 0x7fbb7c0a1910 "dcerpc_timeout_handler"
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fbb7c0a1660
s4_tevent: Run immediate event "tevent_req_trigger": 0x7fbb7c0a1660
     netr_LogonControl2Ex: struct netr_LogonControl2Ex
        out: struct netr_LogonControl2Ex
            query                    : *
query : union netr_CONTROL_QUERY_INFORMATION(case 2)
                info2                    : *
                    info2: struct netr_NETLOGON_INFO_2
                        flags                    : 0x00000080 (128)
                               0: NETLOGON_REPLICATION_NEEDED
                               0: NETLOGON_REPLICATION_IN_PROGRESS
                               0: NETLOGON_FULL_SYNC_REPLICATION
                               0: NETLOGON_REDO_NEEDED
                               0: NETLOGON_HAS_IP
                               0: NETLOGON_HAS_TIMESERV
                               0: NETLOGON_DNS_UPDATE_FAILURE
                               1: NETLOGON_VERIFY_STATUS_RETURNED
                        pdc_connection_status    : WERR_NO_LOGON_SERVERS
                        trusted_dc_name          : *
                            trusted_dc_name          : ''
                        tc_connection_status     : WERR_NO_LOGON_SERVERS
            result                   : WERR_OK
rpc reply data:
[0000] 02 00 00 00 00 00 02 00 80 00 00 00 1F 05 00 00 ........ ........ [0010] 04 00 02 00 1F 05 00 00 01 00 00 00 00 00 00 00 ........ ........
[0020] 01 00 00 00 00 00 00 00   00 00 00 00              ........ ....
s4_tevent: Added timed event "tevent_req_timedout": 0x7fbb7c23ced0
smb_signing_md5: sequence number 10
smb_signing_sign_pdu: sent SMB signature of
[0000] 91 10 6B 3B E8 98 AA B9                            ..k;....
s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7fbb7c3179d0
s4_tevent: Destroying timer event 0x7fbb7c23ced0 "tevent_req_timedout"
s4_tevent: Cancel immediate event 0x7fbb7c3179d0 "tevent_queue_immediate_trigger" [Wed Apr 15 22:17:08.729930 2015] [:error] [pid 4810] ipa: INFO: [jsonserver_session] ad...@ldap.company.com: trust_add(u'ad_domain.company.com', trust_type=u'ad', realm_admin=u'ad_user', realm_passwd=u'********', all=False, raw=False, version=u'2.114'): RemoteRetrieveError

So to me that seems to be samba related.
If try to mount any of the remote AD shares into the IPA server manually , it does perfectly well with the above user details.(this is without kerberos so -k)

The netbios for AD and IPA are different (so no complaints there) and It by the IPA side of the business it has been initialised using : ipa-adtrust-install
-- ipa-adtrust-install --netbios-name=LDAP_BIOS_NAME -a password -U --

Apologies for all this but I am trying to get through the process as far as I can.


On 2015-04-15 06:03, Alexander Bokovoy wrote:
On Tue, 14 Apr 2015, g.fer.or...@unicyber.co.uk wrote:

Dealing with AD --> Cert Trust I am reaching the following step:

ipa trust-add  ad.company.com  --admin <user>  --password
Active Directory domain administrator's password:
ipa: ERROR: AD DC was unable to reach any IPA domain controller. Most likely it is a DNS or firewall issue

Reaching this far I do not know what the issue is .. Nevertheless and before start playing around with the DNS further more....
The issue is what reported above -- at request of IPA DC to validate the
trust, AD DC tried to resolve IPA DC via SRV records and then tried to
contact its Samba instance on its own to complete validation of the
trust. Either step might fail, after which AD DC would report back to
IPA DC that it was unable to reach it.

This diagnostics wasn't added for nothing, you need to trust it. :)

if I run the following it seems to successfully establish the trust by the IPA side of the business

# ipa trust-add --type=ad "ad_domain" --trust-secret

So this part seems find by the look of it..
It works because it does not communicate with AD DCs here, only with
IPA's Samba instance.

I also had to manually add the AD host and the remote CIFS resource but I am getting instead:

ipa trust-fetch-domains corp.hootsuitemedia.com
ipa: ERROR: AD domain controller complains about communication sequence. It may mean unsynchronized time on both sides, for example
This doesn't work because AD DC did not complete the trust validation
and cannot trust IPA Kerberos tickets, thus refusing operation.
Unfortunately, reporting in SMB protocol is less than perfect so we only
are able to get guesses at what has happened.

In any case, running trust-fetch-domains makes no sense until you
complete validation.

And to complete validation you really need to fix issues with either DNS
or firewall so that AD DCs are capable to reach proper IPA DCs.

And all IPA DCs should be initialized with ipa-adtrust-install

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to