On Fri, 17 Apr 2015, Gould, Joshua wrote:
We setup our new IPA server (RHEL7) with a trust against our AD domain.
The trust and ID range look right in IPA

[root sssd]# ipa trust-show
Realm name: example.com
 Realm name: EXAMPLE.COM
 Domain NetBIOS name: EXAMPLE
 Domain Security Identifier: S-1-5-21-
 Trust direction: Two-way trust
 Trust type: Active Directory domain
[root sssd]# ipa idrange-find --all
----------------
2 ranges matched
----------------
 dn: cn=EXAMPLE.COM_id_range,cn=ranges,cn=etc,dc=examle,dc=com
 Range name: EXAMPLE.COM_id_range
 First Posix ID of the range: 2000000
 Number of IDs in the range: 900000
 First RID of the corresponding RID range: 0
 Domain SID of the trusted domain: S-1-5-21-
 Range type: Active Directory domain range
 iparangetyperaw: ipa-ad-trust
 objectclass: ipatrustedaddomainrange, ipaIDrange

 dn: cn=UNIX.EXAMPLE.COM_id_range,cn=ranges,cn=etc,dc=example,dc=com
 Range name: UNIX.EXAMPLE.COM_id_range
 First Posix ID of the range: 369600000
 Number of IDs in the range: 200000
 First RID of the corresponding RID range: 1000
 First RID of the secondary RID range: 100000000
 Range type: local domain range
 iparangetyperaw: ipa-local
 objectclass: top, ipaIDrange, ipaDomainIDRange
----------------------------
Number of entries returned 2
----------------------------
Either you obfuscated too much or your setup makes little sense as IPA
local domain ID range is for unix.example.com while your realm is
EXAMPLE.COM and AD realm is EXAMPLE.COM. This is not going to work --
IPA and AD has to have different realms.


[root sssd]#

I see that the bind fails but I’m not sure why. Here are the errors.
Could someone point me in the right direction please?

A single line you need to look at is this:
(Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sasl_bind_send] 
(0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: 
Unspecified GSS failure.  Minor code may provide more information (KDC policy 
rejects request)]

KDC policy rejects request is Kerberos way of saying "My realm doesn't
trust your realm, go away".

In order to know what exactly is wrong, do following (it is all written
in the troubleshooting section of the trust documentation on FreeIPA
wiki):

1. add 'log level = 100' to [global] section of
/usr/share/ipa/smb.conf.empty

2. Without restarting anything, re-establish trust with 'ipa trust-add ...'.

3. Look into /var/log/http/error_log to see a response for something
like this:
s4_tevent: Run immediate event "tevent_req_trigger": 0x7f5ccc084a40
    netr_LogonControl2Ex: struct netr_LogonControl2Ex
       out: struct netr_LogonControl2Ex
           query                    : *
               query                    : union 
netr_CONTROL_QUERY_INFORMATION(case 2)
               info2                    : *
                   info2: struct netr_NETLOGON_INFO_2
                       flags                    : 0x000000b0 (176)
                              0: NETLOGON_REPLICATION_NEEDED
                              0: NETLOGON_REPLICATION_IN_PROGRESS
                              0: NETLOGON_FULL_SYNC_REPLICATION
0: NETLOGON_REDO_NEEDED 1: NETLOGON_HAS_IP 1: NETLOGON_HAS_TIMESERV 0: NETLOGON_DNS_UPDATE_FAILURE
                              1: NETLOGON_VERIFY_STATUS_RETURNED
                       pdc_connection_status    : WERR_OK
                       trusted_dc_name          : *
                           trusted_dc_name          : '\\rh7-1.ipacloud7.test'
                       tc_connection_status     : WERR_OK
           result                   : WERR_OK

If instead of WERR_OK in pdc_connection_status  you have something else,
that is telling an error. Show us the output like above.


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to