Hi Alexander
I do trust the diagnostics and I thank you so much for that explanation
as I know now now a bit better what to expect or for the less what is
the sequence it follows.
This does not seem to be a port issue (below windows):
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
111/tcp open rpcbind
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server
And after executing the command:
ipa trust-add --type=ad ad_domain.company.com --admin ad_user --password
I get :
===========
s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fbb7c00f170
s4_tevent: Added timed event "dcerpc_timeout_handler": 0x7fbb7c0a1910
s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fbb7c00f170
s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fbb7c00f170
num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0,
data_total=112, this_data=112, max_data=4280, param_offset=84,
param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0
s4_tevent: Added timed event "tevent_req_timedout": 0x7fbb7c434b10
smb_signing_md5: sequence number 8
smb_signing_sign_pdu: sent SMB signature of
[0000] 4E 30 9B AA AD 9D FA E9 N0......
s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger":
0x7fbb7c3179d0
s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fbb7c00f170
s4_tevent: Run immediate event "tevent_queue_immediate_trigger":
0x7fbb7c3179d0
smb_signing_md5: sequence number 9
smb_signing_check_pdu: seq 9: got good SMB signature of
[0000] 34 AA E5 B9 B4 BB AD 3D 4......=
s4_tevent: Destroying timer event 0x7fbb7c434b10 "tevent_req_timedout"
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fbb7c532dd0
s4_tevent: Run immediate event "tevent_req_trigger": 0x7fbb7c532dd0
s4_tevent: Destroying timer event 0x7fbb7c0a1910
"dcerpc_timeout_handler"
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fbb7c0a1660
s4_tevent: Run immediate event "tevent_req_trigger": 0x7fbb7c0a1660
netr_LogonControl2Ex: struct netr_LogonControl2Ex
out: struct netr_LogonControl2Ex
query : *
query : union
netr_CONTROL_QUERY_INFORMATION(case 2)
info2 : *
info2: struct netr_NETLOGON_INFO_2
flags : 0x00000080 (128)
0: NETLOGON_REPLICATION_NEEDED
0: NETLOGON_REPLICATION_IN_PROGRESS
0: NETLOGON_FULL_SYNC_REPLICATION
0: NETLOGON_REDO_NEEDED
0: NETLOGON_HAS_IP
0: NETLOGON_HAS_TIMESERV
0: NETLOGON_DNS_UPDATE_FAILURE
1: NETLOGON_VERIFY_STATUS_RETURNED
pdc_connection_status : WERR_NO_LOGON_SERVERS
trusted_dc_name : *
trusted_dc_name : ''
tc_connection_status : WERR_NO_LOGON_SERVERS
result : WERR_OK
rpc reply data:
[0000] 02 00 00 00 00 00 02 00 80 00 00 00 1F 05 00 00 ........
........
[0010] 04 00 02 00 1F 05 00 00 01 00 00 00 00 00 00 00 ........
........
[0020] 01 00 00 00 00 00 00 00 00 00 00 00 ........ ....
s4_tevent: Added timed event "tevent_req_timedout": 0x7fbb7c23ced0
smb_signing_md5: sequence number 10
smb_signing_sign_pdu: sent SMB signature of
[0000] 91 10 6B 3B E8 98 AA B9 ..k;....
s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger":
0x7fbb7c3179d0
s4_tevent: Destroying timer event 0x7fbb7c23ced0 "tevent_req_timedout"
s4_tevent: Cancel immediate event 0x7fbb7c3179d0
"tevent_queue_immediate_trigger"
[Wed Apr 15 22:17:08.729930 2015] [:error] [pid 4810] ipa: INFO:
[jsonserver_session] ad...@ldap.company.com:
trust_add(u'ad_domain.company.com', trust_type=u'ad',
realm_admin=u'ad_user', realm_passwd=u'********', all=False, raw=False,
version=u'2.114'): RemoteRetrieveError
============
So to me that seems to be samba related.
If try to mount any of the remote AD shares into the IPA server manually
, it does perfectly well with the above user details.(this is without
kerberos so -k)
The netbios for AD and IPA are different (so no complaints there) and It
by the IPA side of the business it has been initialised using :
ipa-adtrust-install
-- ipa-adtrust-install --netbios-name=LDAP_BIOS_NAME -a password -U --
Apologies for all this but I am trying to get through the process as far
as I can.
Thanks
On 2015-04-15 06:03, Alexander Bokovoy wrote:
On Tue, 14 Apr 2015, g.fer.or...@unicyber.co.uk wrote:
Hi
Dealing with AD --> Cert Trust I am reaching the following step:
ipa trust-add ad.company.com --admin <user> --password
Active Directory domain administrator's password:
ipa: ERROR: AD DC was unable to reach any IPA domain controller. Most
likely it is a DNS or firewall issue
Reaching this far I do not know what the issue is .. Nevertheless and
before start playing around with the DNS further more....
The issue is what reported above -- at request of IPA DC to validate
the
trust, AD DC tried to resolve IPA DC via SRV records and then tried to
contact its Samba instance on its own to complete validation of the
trust. Either step might fail, after which AD DC would report back to
IPA DC that it was unable to reach it.
This diagnostics wasn't added for nothing, you need to trust it. :)
if I run the following it seems to successfully establish the trust by
the IPA side of the business
# ipa trust-add --type=ad "ad_domain" --trust-secret
So this part seems find by the look of it..
It works because it does not communicate with AD DCs here, only with
IPA's Samba instance.
I also had to manually add the AD host and the remote CIFS resource
but I am getting instead:
ipa trust-fetch-domains corp.hootsuitemedia.com
ipa: ERROR: AD domain controller complains about communication
sequence. It may mean unsynchronized time on both sides, for example
This doesn't work because AD DC did not complete the trust validation
and cannot trust IPA Kerberos tickets, thus refusing operation.
Unfortunately, reporting in SMB protocol is less than perfect so we
only
are able to get guesses at what has happened.
In any case, running trust-fetch-domains makes no sense until you
complete validation.
And to complete validation you really need to fix issues with either
DNS
or firewall so that AD DCs are capable to reach proper IPA DCs.
And all IPA DCs should be initialized with ipa-adtrust-install
currently.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
