Re: [Freeipa-users] ipa: ERROR: AD DC was unable to reach any IPA domain controller --- AD domain controller complains about communication sequence.

Wed, 15 Apr 2015 21:46:26 -0700 

On Wed, 15 Apr 2015, g.fer.or...@unicyber.co.uk wrote:

Hi Alexander
I do trust the diagnostics and I thank you so much for that explanation as I know now now a bit better what to expect or for the less what is the sequence it follows. 


This does not seem to be a port issue (below windows):
PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
111/tcp   open  rpcbind
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
3389/tcp  open  ms-wbt-server

And after executing the command:
ipa trust-add --type=ad ad_domain.company.com --admin ad_user --password

I get :
===========
s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fbb7c00f170
s4_tevent: Added timed event "dcerpc_timeout_handler": 0x7fbb7c0a1910
s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fbb7c00f170
s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fbb7c00f170
num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=112, this_data=112, max_data=4280, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0 
s4_tevent: Added timed event "tevent_req_timedout": 0x7fbb7c434b10
smb_signing_md5: sequence number 8
smb_signing_sign_pdu: sent SMB signature of
[0000] 4E 30 9B AA AD 9D FA E9                            N0......
s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7fbb7c3179d0 
s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fbb7c00f170
s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7fbb7c3179d0 
smb_signing_md5: sequence number 9
smb_signing_check_pdu: seq 9: got good SMB signature of
[0000] 34 AA E5 B9 B4 BB AD 3D                            4......=
s4_tevent: Destroying timer event 0x7fbb7c434b10 "tevent_req_timedout"
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fbb7c532dd0
s4_tevent: Run immediate event "tevent_req_trigger": 0x7fbb7c532dd0
s4_tevent: Destroying timer event 0x7fbb7c0a1910 "dcerpc_timeout_handler" 
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fbb7c0a1660
s4_tevent: Run immediate event "tevent_req_trigger": 0x7fbb7c0a1660
    netr_LogonControl2Ex: struct netr_LogonControl2Ex
       out: struct netr_LogonControl2Ex
           query                    : *
query : union netr_CONTROL_QUERY_INFORMATION(case 2) 
               info2                    : *
                   info2: struct netr_NETLOGON_INFO_2
                       flags                    : 0x00000080 (128)
                              0: NETLOGON_REPLICATION_NEEDED
                              0: NETLOGON_REPLICATION_IN_PROGRESS
                              0: NETLOGON_FULL_SYNC_REPLICATION
                              0: NETLOGON_REDO_NEEDED
                              0: NETLOGON_HAS_IP
                              0: NETLOGON_HAS_TIMESERV
                              0: NETLOGON_DNS_UPDATE_FAILURE
                              1: NETLOGON_VERIFY_STATUS_RETURNED
                       pdc_connection_status    : WERR_NO_LOGON_SERVERS
                       trusted_dc_name          : *
                           trusted_dc_name          : ''
                       tc_connection_status     : WERR_NO_LOGON_SERVERS
           result                   : WERR_OK
rpc reply data:
[0000] 02 00 00 00 00 00 02 00 80 00 00 00 1F 05 00 00 ........ ........ [0010] 04 00 02 00 1F 05 00 00 01 00 00 00 00 00 00 00 ........ ........ 
[0020] 01 00 00 00 00 00 00 00   00 00 00 00              ........ ....
s4_tevent: Added timed event "tevent_req_timedout": 0x7fbb7c23ced0
smb_signing_md5: sequence number 10
smb_signing_sign_pdu: sent SMB signature of
[0000] 91 10 6B 3B E8 98 AA B9                            ..k;....
s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7fbb7c3179d0 
s4_tevent: Destroying timer event 0x7fbb7c23ced0 "tevent_req_timedout"
s4_tevent: Cancel immediate event 0x7fbb7c3179d0 "tevent_queue_immediate_trigger" [Wed Apr 15 22:17:08.729930 2015] [:error] [pid 4810] ipa: INFO: [jsonserver_session] ad...@ldap.company.com: trust_add(u'ad_domain.company.com', trust_type=u'ad', realm_admin=u'ad_user', realm_passwd=u'********', all=False, raw=False, version=u'2.114'): RemoteRetrieveError 
============

So to me that seems to be samba related.

No, it is not, at least so far all evidence is only telling that AD DC
cannot talk to IPA DC. From the above  netr_NETLOGON_INFO_2 structure it
is pretty clear:
"AD DC tried to verify trust and was unable to contact logon servers
 (DCs) of IPA".
If try to mount any of the remote AD shares into the IPA server manually , it does perfectly well with the above user details.(this is without kerberos so -k) 
If you mount something on IPA server, it means connection goes from IPA
server to AD DC, not the other way around. You need to make sure the
opposite direction (connection initiated by AD DC towards IPA server)
would work.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to