On Fri, 17 Apr 2015, Gould, Joshua wrote:
We setup our new IPA server (RHEL7) with a trust against our AD domain.
The trust and ID range look right in IPA
[root sssd]# ipa trust-show
Realm name: example.com
Realm name: EXAMPLE.COM
Domain NetBIOS name: EXAMPLE
Domain Security Identifier: S-1-5-21-
Trust direction: Two-way trust
Trust type: Active Directory domain
[root sssd]# ipa idrange-find --all
----------------
2 ranges matched
----------------
dn: cn=EXAMPLE.COM_id_range,cn=ranges,cn=etc,dc=examle,dc=com
Range name: EXAMPLE.COM_id_range
First Posix ID of the range: 2000000
Number of IDs in the range: 900000
First RID of the corresponding RID range: 0
Domain SID of the trusted domain: S-1-5-21-
Range type: Active Directory domain range
iparangetyperaw: ipa-ad-trust
objectclass: ipatrustedaddomainrange, ipaIDrange
dn: cn=UNIX.EXAMPLE.COM_id_range,cn=ranges,cn=etc,dc=example,dc=com
Range name: UNIX.EXAMPLE.COM_id_range
First Posix ID of the range: 369600000
Number of IDs in the range: 200000
First RID of the corresponding RID range: 1000
First RID of the secondary RID range: 100000000
Range type: local domain range
iparangetyperaw: ipa-local
objectclass: top, ipaIDrange, ipaDomainIDRange
----------------------------
Number of entries returned 2
----------------------------
Either you obfuscated too much or your setup makes little sense as IPA
local domain ID range is for unix.example.com while your realm is
EXAMPLE.COM and AD realm is EXAMPLE.COM. This is not going to work --
IPA and AD has to have different realms.
[root sssd]#
I see that the bind fails but I’m not sure why. Here are the errors.
Could someone point me in the right direction please?
A single line you need to look at is this:
(Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sasl_bind_send]
(0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more information (KDC policy
rejects request)]
KDC policy rejects request is Kerberos way of saying "My realm doesn't
trust your realm, go away".
In order to know what exactly is wrong, do following (it is all written
in the troubleshooting section of the trust documentation on FreeIPA
wiki):
1. add 'log level = 100' to [global] section of
/usr/share/ipa/smb.conf.empty
2. Without restarting anything, re-establish trust with 'ipa trust-add ...'.
3. Look into /var/log/http/error_log to see a response for something
like this:
s4_tevent: Run immediate event "tevent_req_trigger": 0x7f5ccc084a40
netr_LogonControl2Ex: struct netr_LogonControl2Ex
out: struct netr_LogonControl2Ex
query : *
query : union
netr_CONTROL_QUERY_INFORMATION(case 2)
info2 : *
info2: struct netr_NETLOGON_INFO_2
flags : 0x000000b0 (176)
0: NETLOGON_REPLICATION_NEEDED
0: NETLOGON_REPLICATION_IN_PROGRESS
0: NETLOGON_FULL_SYNC_REPLICATION
0: NETLOGON_REDO_NEEDED
1: NETLOGON_HAS_IP
1: NETLOGON_HAS_TIMESERV
0: NETLOGON_DNS_UPDATE_FAILURE
1: NETLOGON_VERIFY_STATUS_RETURNED
pdc_connection_status : WERR_OK
trusted_dc_name : *
trusted_dc_name : '\\rh7-1.ipacloud7.test'
tc_connection_status : WERR_OK
result : WERR_OK
If instead of WERR_OK in pdc_connection_status you have something else,
that is telling an error. Show us the output like above.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
