On 2015-07-02 12:47, Sumit Bose wrote:
On Wed, Jul 01, 2015 at 02:37:44PM +0100, David Fox wrote:
I am encountering issues trying to integrate FreeIPA with AD, on *nix promp I get "internal server rror" and within I receive the following message in
httpd_errorlog.


It looks like we as AD if it already has a trust to a domain called
'ipa.*redacted*' and ....

rpc reply data:
[0000] 00 00 02 00 06 00 00 00 03 00 00 00 00 00 00 00 ........ ........
     lsa_QueryTrustedDomainInfoByName: struct
lsa_QueryTrustedDomainInfoByName
        in: struct lsa_QueryTrustedDomainInfoByName
            handle                   : *
                handle: struct policy_handle
                    handle_type              : 0x00000000 (0)
                    uuid                     :
0593f50d-b3c4-4b0a-b3d7-f502da1ea0e6
            trusted_domain           : *
                trusted_domain: struct lsa_String
                    length                   : 0x001a (26)
                    size                     : 0x001a (26)
                    string                   : *
                        string                   : 'ipa.*redacted*'
level : LSA_TRUSTED_DOMAIN_INFO_FULL_INFO (8)
rpc request data:
[0000] 00 00 00 00 0D F5 93 05 C4 B3 0A 4B B3 D7 F5 02 ........ ...K.... [0010] DA 1E A0 E6 1A 00 1A 00 00 00 02 00 0D 00 00 00 ........ ........ [0020] 00 00 00 00 0D 00 00 00 69 00 70 00 61 00 2E 00 ........ i.p.a... [0030] 68 00 73 00 61 00 2E 00 63 00 6F 00 2E 00 75 00 a... c.o...u.
[0040] 6B 00 08 00                                       k...
s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fdde0230710
s4_tevent: Added timed event "dcerpc_timeout_handler": 0x7fdde00ef550
s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fdde0230710
s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fdde0230710
num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0,
data_total=92, this_data=92, max_data=4280, param_offset=84, param_pad=2,
param_disp=0, data_offset=84, data_pad=0, data_disp=0
s4_tevent: Added timed event "tevent_req_timedout": 0x7fdde00ee2f0
smb_signing_md5: sequence number 14
smb_signing_sign_pdu: sent SMB signature of
[0000] B0 93 27 43 EE 4A 37 94                            ..'C.J7.
s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger":
0x7fdde00f5a60
s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fdde0230710
s4_tevent: Run immediate event "tevent_queue_immediate_trigger":
0x7fdde00f5a60
smb_signing_md5: sequence number 15
smb_signing_check_pdu: seq 15: got good SMB signature of
[0000] 8F F4 5B 5F 27 39 4C 42                            ..[_'9LB
s4_tevent: Destroying timer event 0x7fdde00ee2f0 "tevent_req_timedout"
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fdde050c440
s4_tevent: Run immediate event "tevent_req_trigger": 0x7fdde050c440
s4_tevent: Destroying timer event 0x7fdde00ef550 "dcerpc_timeout_handler" s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fdde05110e0
s4_tevent: Run immediate event "tevent_req_trigger": 0x7fdde05110e0
     lsa_QueryTrustedDomainInfoByName: struct
lsa_QueryTrustedDomainInfoByName
        out: struct lsa_QueryTrustedDomainInfoByName
            info                     : *
                info                     : *
                    info                     : union
lsa_TrustedDomainInfo(case 8)
                    full_info: struct lsa_TrustDomainInfoFullInfo
                        info_ex: struct lsa_TrustDomainInfoInfoEx
                            domain_name: struct lsa_StringLarge
                                length                   : 0x001a (26)
                                size                     : 0x001c (28)
                                string                   : *
                                    string                   :
'ipa.*redacted*'
                            netbios_name: struct lsa_StringLarge
                                length                   : 0x001a (26)
                                size                     : 0x001c (28)
                                string                   : *
                                    string                   :
'ipa.*redacted*'
                            sid                      : NULL
                            trust_direction          : 0x00000003 (3)
                                   1: LSA_TRUST_DIRECTION_INBOUND
                                   1: LSA_TRUST_DIRECTION_OUTBOUND
trust_type : LSA_TRUST_TYPE_MIT


and knows this domain already because a trust to the Kerberos realm was
already created.

If possible please remove the Kerberos trust from the AD side and try
again.

Please note that you cannot have trust to two realms which share the
same realm name.

HTH

bye,
Sumit

(3)
                            trust_attributes         : 0x00000000 (0)
0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE
                                   0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY
0: LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN 0: LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE 0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION 0: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST 0: LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL
                                   0:
LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION
posix_offset: struct lsa_TrustDomainInfoPosixOffset
                            posix_offset             : 0x00000000 (0)
                        auth_info: struct lsa_TrustDomainInfoAuthInfo
                            incoming_count           : 0x00000000 (0)
                            incoming_current_auth_info: NULL
                            incoming_previous_auth_info: NULL
                            outgoing_count           : 0x00000000 (0)
                            outgoing_current_auth_info: NULL
                            outgoing_previous_auth_info: NULL
            result                   : NT_STATUS_OK
rpc reply data:
[0000] 00 00 02 00 08 00 00 00 1A 00 1C 00 04 00 02 00 ........ ........ [0010] 1A 00 1C 00 08 00 02 00 00 00 00 00 03 00 00 00 ........ ........ [0020] 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0040] 00 00 00 00 0E 00 00 00 00 00 00 00 0D 00 00 00 ........ ........ [0050] 69 00 70 00 61 00 2E 00 68 00 73 00 61 00 2E 00 i.p.a... h... [0060] 63 00 6F 00 2E 00 75 00 6B 00 00 00 0E 00 00 00 c.o...u. k....... [0070] 00 00 00 00 0D 00 00 00 69 00 70 00 61 00 2E 00 ........ i.p.a... [0080] 68 00 73 00 61 00 2E 00 63 00 6F 00 2E 00 75 00 ... c.o...u.
[0090] 6B 00 00 00 00 00 00 00                            k.......
[Tue Jun 30 13:17:01.369249 2015] [:error] [pid 1063] ipa: ERROR:
non-public: TypeError: default/librpc/gen_ndr/py_lsa.c:9436: Expected type
'security.dom_sid' for 'py_dom_sid' of type 'NoneType'
[Tue Jun 30 13:17:01.369285 2015] [:error] [pid 1063] Traceback (most recent
call last):
[Tue Jun 30 13:17:01.369289 2015] [:error] [pid 1063]   File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 348, in
wsgi_execute
[Tue Jun 30 13:17:01.369292 2015] [:error] [pid 1063]     result =
self.Command[name](*args, **options)
[Tue Jun 30 13:17:01.369294 2015] [:error] [pid 1063]   File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 439, in __call__
[Tue Jun 30 13:17:01.369303 2015] [:error] [pid 1063]     ret =
self.run(*args, **options)
[Tue Jun 30 13:17:01.369306 2015] [:error] [pid 1063]   File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 754, in run
[Tue Jun 30 13:17:01.369308 2015] [:error] [pid 1063]     return
self.execute(*args, **options)
[Tue Jun 30 13:17:01.369310 2015] [:error] [pid 1063]   File
"/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line 474, in
execute
[Tue Jun 30 13:17:01.369313 2015] [:error] [pid 1063]     result =
self.execute_ad(full_join, *keys, **options)
[Tue Jun 30 13:17:01.369315 2015] [:error] [pid 1063]   File
"/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line 709, in
execute_ad
[Tue Jun 30 13:17:01.369318 2015] [:error] [pid 1063] self.realm_passwd
[Tue Jun 30 13:17:01.369320 2015] [:error] [pid 1063]   File
"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1222, in
join_ad_full_credentials
[Tue Jun 30 13:17:01.369323 2015] [:error] [pid 1063]
self.remote_domain.establish_trust(self.local_domain, trustdom_pass)
[Tue Jun 30 13:17:01.369325 2015] [:error] [pid 1063]   File
"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 963, in
establish_trust
[Tue Jun 30 13:17:01.369327 2015] [:error] [pid 1063]
self._pipe.DeleteTrustedDomain(self._policy_handle, res.info_ex.sid)
[Tue Jun 30 13:17:01.369330 2015] [:error] [pid 1063] TypeError:
default/librpc/gen_ndr/py_lsa.c:9436: Expected type 'security.dom_sid' for
'py_dom_sid' of type 'NoneType'
[Tue Jun 30 13:17:01.369648 2015] [:error] [pid 1063] ipa: INFO:
[jsonserver_session] admin@IPA.*redacted*: trust_add(u'*redacted*',
trust_type=u'ad', realm_admin=u'*redacted*', realm_passwd=u'********',
all=False, raw=False, version=u'2.112'): TypeError


These are whole logs with "log level = 100" set in smb.conf.empty. Log files
were emptied before the above command was ran. If there is any other
information required please let me know.

Software versions:
Fedora 22: 4.1.4
Fedora 22: 4.2 Alpha 1

Oracle Linux 7.1 64bit: without DNS
ipa-server.x86_64 - 4.1.0-18.0.1-el17_1.3
ipa-server-trust-ad.x86_64 - 4.1.0-18.0.1-el17_1.3

CentOS 7.1 64bit: With DNS
ipa-server.x86_64 - 4.1.0-18-el7.centos.3
ipa-server-trust-ad.x86_64 - 4.1.0-18-el7.centos.3


Regards,
David

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Thank you, removed this from AD and tried the command again and this time validated.

Cheers,
David

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to