On Wed, Jul 01, 2015 at 02:37:44PM +0100, David Fox wrote: > I am encountering issues trying to integrate FreeIPA with AD, on *nix promp > I get "internal server rror" and within I receive the following message in > httpd_errorlog. >
It looks like we as AD if it already has a trust to a domain called 'ipa.*redacted*' and .... > rpc reply data: > [0000] 00 00 02 00 06 00 00 00 03 00 00 00 00 00 00 00 ........ ........ > lsa_QueryTrustedDomainInfoByName: struct > lsa_QueryTrustedDomainInfoByName > in: struct lsa_QueryTrustedDomainInfoByName > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : > 0593f50d-b3c4-4b0a-b3d7-f502da1ea0e6 > trusted_domain : * > trusted_domain: struct lsa_String > length : 0x001a (26) > size : 0x001a (26) > string : * > string : 'ipa.*redacted*' > level : LSA_TRUSTED_DOMAIN_INFO_FULL_INFO (8) > rpc request data: > [0000] 00 00 00 00 0D F5 93 05 C4 B3 0A 4B B3 D7 F5 02 ........ ...K.... > [0010] DA 1E A0 E6 1A 00 1A 00 00 00 02 00 0D 00 00 00 ........ ........ > [0020] 00 00 00 00 0D 00 00 00 69 00 70 00 61 00 2E 00 ........ i.p.a... > [0030] 68 00 73 00 61 00 2E 00 63 00 6F 00 2E 00 75 00 a... c.o...u. > [0040] 6B 00 08 00 k... > s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fdde0230710 > s4_tevent: Added timed event "dcerpc_timeout_handler": 0x7fdde00ef550 > s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fdde0230710 > s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fdde0230710 > num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, > data_total=92, this_data=92, max_data=4280, param_offset=84, param_pad=2, > param_disp=0, data_offset=84, data_pad=0, data_disp=0 > s4_tevent: Added timed event "tevent_req_timedout": 0x7fdde00ee2f0 > smb_signing_md5: sequence number 14 > smb_signing_sign_pdu: sent SMB signature of > [0000] B0 93 27 43 EE 4A 37 94 ..'C.J7. > s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": > 0x7fdde00f5a60 > s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fdde0230710 > s4_tevent: Run immediate event "tevent_queue_immediate_trigger": > 0x7fdde00f5a60 > smb_signing_md5: sequence number 15 > smb_signing_check_pdu: seq 15: got good SMB signature of > [0000] 8F F4 5B 5F 27 39 4C 42 ..[_'9LB > s4_tevent: Destroying timer event 0x7fdde00ee2f0 "tevent_req_timedout" > s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fdde050c440 > s4_tevent: Run immediate event "tevent_req_trigger": 0x7fdde050c440 > s4_tevent: Destroying timer event 0x7fdde00ef550 "dcerpc_timeout_handler" > s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fdde05110e0 > s4_tevent: Run immediate event "tevent_req_trigger": 0x7fdde05110e0 > lsa_QueryTrustedDomainInfoByName: struct > lsa_QueryTrustedDomainInfoByName > out: struct lsa_QueryTrustedDomainInfoByName > info : * > info : * > info : union > lsa_TrustedDomainInfo(case 8) > full_info: struct lsa_TrustDomainInfoFullInfo > info_ex: struct lsa_TrustDomainInfoInfoEx > domain_name: struct lsa_StringLarge > length : 0x001a (26) > size : 0x001c (28) > string : * > string : > 'ipa.*redacted*' > netbios_name: struct lsa_StringLarge > length : 0x001a (26) > size : 0x001c (28) > string : * > string : > 'ipa.*redacted*' > sid : NULL > trust_direction : 0x00000003 (3) > 1: LSA_TRUST_DIRECTION_INBOUND > 1: LSA_TRUST_DIRECTION_OUTBOUND > trust_type : LSA_TRUST_TYPE_MIT and knows this domain already because a trust to the Kerberos realm was already created. If possible please remove the Kerberos trust from the AD side and try again. Please note that you cannot have trust to two realms which share the same realm name. HTH bye, Sumit > (3) > trust_attributes : 0x00000000 (0) > 0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE > 0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY > 0: LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN > 0: LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE > 0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION > 0: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST > 0: LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL > 0: > LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION > posix_offset: struct lsa_TrustDomainInfoPosixOffset > posix_offset : 0x00000000 (0) > auth_info: struct lsa_TrustDomainInfoAuthInfo > incoming_count : 0x00000000 (0) > incoming_current_auth_info: NULL > incoming_previous_auth_info: NULL > outgoing_count : 0x00000000 (0) > outgoing_current_auth_info: NULL > outgoing_previous_auth_info: NULL > result : NT_STATUS_OK > rpc reply data: > [0000] 00 00 02 00 08 00 00 00 1A 00 1C 00 04 00 02 00 ........ ........ > [0010] 1A 00 1C 00 08 00 02 00 00 00 00 00 03 00 00 00 ........ ........ > [0020] 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ > [0030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ > [0040] 00 00 00 00 0E 00 00 00 00 00 00 00 0D 00 00 00 ........ ........ > [0050] 69 00 70 00 61 00 2E 00 68 00 73 00 61 00 2E 00 i.p.a... h... > [0060] 63 00 6F 00 2E 00 75 00 6B 00 00 00 0E 00 00 00 c.o...u. k....... > [0070] 00 00 00 00 0D 00 00 00 69 00 70 00 61 00 2E 00 ........ i.p.a... > [0080] 68 00 73 00 61 00 2E 00 63 00 6F 00 2E 00 75 00 ... c.o...u. > [0090] 6B 00 00 00 00 00 00 00 k....... > [Tue Jun 30 13:17:01.369249 2015] [:error] [pid 1063] ipa: ERROR: > non-public: TypeError: default/librpc/gen_ndr/py_lsa.c:9436: Expected type > 'security.dom_sid' for 'py_dom_sid' of type 'NoneType' > [Tue Jun 30 13:17:01.369285 2015] [:error] [pid 1063] Traceback (most recent > call last): > [Tue Jun 30 13:17:01.369289 2015] [:error] [pid 1063] File > "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 348, in > wsgi_execute > [Tue Jun 30 13:17:01.369292 2015] [:error] [pid 1063] result = > self.Command[name](*args, **options) > [Tue Jun 30 13:17:01.369294 2015] [:error] [pid 1063] File > "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 439, in __call__ > [Tue Jun 30 13:17:01.369303 2015] [:error] [pid 1063] ret = > self.run(*args, **options) > [Tue Jun 30 13:17:01.369306 2015] [:error] [pid 1063] File > "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 754, in run > [Tue Jun 30 13:17:01.369308 2015] [:error] [pid 1063] return > self.execute(*args, **options) > [Tue Jun 30 13:17:01.369310 2015] [:error] [pid 1063] File > "/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line 474, in > execute > [Tue Jun 30 13:17:01.369313 2015] [:error] [pid 1063] result = > self.execute_ad(full_join, *keys, **options) > [Tue Jun 30 13:17:01.369315 2015] [:error] [pid 1063] File > "/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line 709, in > execute_ad > [Tue Jun 30 13:17:01.369318 2015] [:error] [pid 1063] self.realm_passwd > [Tue Jun 30 13:17:01.369320 2015] [:error] [pid 1063] File > "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1222, in > join_ad_full_credentials > [Tue Jun 30 13:17:01.369323 2015] [:error] [pid 1063] > self.remote_domain.establish_trust(self.local_domain, trustdom_pass) > [Tue Jun 30 13:17:01.369325 2015] [:error] [pid 1063] File > "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 963, in > establish_trust > [Tue Jun 30 13:17:01.369327 2015] [:error] [pid 1063] > self._pipe.DeleteTrustedDomain(self._policy_handle, res.info_ex.sid) > [Tue Jun 30 13:17:01.369330 2015] [:error] [pid 1063] TypeError: > default/librpc/gen_ndr/py_lsa.c:9436: Expected type 'security.dom_sid' for > 'py_dom_sid' of type 'NoneType' > [Tue Jun 30 13:17:01.369648 2015] [:error] [pid 1063] ipa: INFO: > [jsonserver_session] admin@IPA.*redacted*: trust_add(u'*redacted*', > trust_type=u'ad', realm_admin=u'*redacted*', realm_passwd=u'********', > all=False, raw=False, version=u'2.112'): TypeError > > > These are whole logs with "log level = 100" set in smb.conf.empty. Log files > were emptied before the above command was ran. If there is any other > information required please let me know. > > Software versions: > Fedora 22: 4.1.4 > Fedora 22: 4.2 Alpha 1 > > Oracle Linux 7.1 64bit: without DNS > ipa-server.x86_64 - 4.1.0-18.0.1-el17_1.3 > ipa-server-trust-ad.x86_64 - 4.1.0-18.0.1-el17_1.3 > > CentOS 7.1 64bit: With DNS > ipa-server.x86_64 - 4.1.0-18-el7.centos.3 > ipa-server-trust-ad.x86_64 - 4.1.0-18-el7.centos.3 > > > Regards, > David > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
