On Fri, Jul 03, 2015 at 03:30:38PM +0100, David Fox wrote: > On 2015-07-02 12:47, Sumit Bose wrote: > >On Wed, Jul 01, 2015 at 02:37:44PM +0100, David Fox wrote: > >>I am encountering issues trying to integrate FreeIPA with AD, on *nix > >>promp > >>I get "internal server rror" and within I receive the following message > >>in > >>httpd_errorlog. > >> > > > >It looks like we as AD if it already has a trust to a domain called > >'ipa.*redacted*' and .... > > > >>rpc reply data: > >>[0000] 00 00 02 00 06 00 00 00 03 00 00 00 00 00 00 00 ........ > >>........ > >> lsa_QueryTrustedDomainInfoByName: struct > >>lsa_QueryTrustedDomainInfoByName > >> in: struct lsa_QueryTrustedDomainInfoByName > >> handle : * > >> handle: struct policy_handle > >> handle_type : 0x00000000 (0) > >> uuid : > >>0593f50d-b3c4-4b0a-b3d7-f502da1ea0e6 > >> trusted_domain : * > >> trusted_domain: struct lsa_String > >> length : 0x001a (26) > >> size : 0x001a (26) > >> string : * > >> string : 'ipa.*redacted*' > >> level : LSA_TRUSTED_DOMAIN_INFO_FULL_INFO > >>(8) > >>rpc request data: > >>[0000] 00 00 00 00 0D F5 93 05 C4 B3 0A 4B B3 D7 F5 02 ........ > >>...K.... > >>[0010] DA 1E A0 E6 1A 00 1A 00 00 00 02 00 0D 00 00 00 ........ > >>........ > >>[0020] 00 00 00 00 0D 00 00 00 69 00 70 00 61 00 2E 00 ........ > >>i.p.a... > >>[0030] 68 00 73 00 61 00 2E 00 63 00 6F 00 2E 00 75 00 a... c.o...u. > >>[0040] 6B 00 08 00 k... > >>s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fdde0230710 > >>s4_tevent: Added timed event "dcerpc_timeout_handler": 0x7fdde00ef550 > >>s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fdde0230710 > >>s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fdde0230710 > >>num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, > >>data_total=92, this_data=92, max_data=4280, param_offset=84, > >>param_pad=2, > >>param_disp=0, data_offset=84, data_pad=0, data_disp=0 > >>s4_tevent: Added timed event "tevent_req_timedout": 0x7fdde00ee2f0 > >>smb_signing_md5: sequence number 14 > >>smb_signing_sign_pdu: sent SMB signature of > >>[0000] B0 93 27 43 EE 4A 37 94 ..'C.J7. > >>s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": > >>0x7fdde00f5a60 > >>s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fdde0230710 > >>s4_tevent: Run immediate event "tevent_queue_immediate_trigger": > >>0x7fdde00f5a60 > >>smb_signing_md5: sequence number 15 > >>smb_signing_check_pdu: seq 15: got good SMB signature of > >>[0000] 8F F4 5B 5F 27 39 4C 42 ..[_'9LB > >>s4_tevent: Destroying timer event 0x7fdde00ee2f0 "tevent_req_timedout" > >>s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fdde050c440 > >>s4_tevent: Run immediate event "tevent_req_trigger": 0x7fdde050c440 > >>s4_tevent: Destroying timer event 0x7fdde00ef550 > >>"dcerpc_timeout_handler" > >>s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fdde05110e0 > >>s4_tevent: Run immediate event "tevent_req_trigger": 0x7fdde05110e0 > >> lsa_QueryTrustedDomainInfoByName: struct > >>lsa_QueryTrustedDomainInfoByName > >> out: struct lsa_QueryTrustedDomainInfoByName > >> info : * > >> info : * > >> info : union > >>lsa_TrustedDomainInfo(case 8) > >> full_info: struct lsa_TrustDomainInfoFullInfo > >> info_ex: struct lsa_TrustDomainInfoInfoEx > >> domain_name: struct lsa_StringLarge > >> length : 0x001a (26) > >> size : 0x001c (28) > >> string : * > >> string : > >>'ipa.*redacted*' > >> netbios_name: struct lsa_StringLarge > >> length : 0x001a (26) > >> size : 0x001c (28) > >> string : * > >> string : > >>'ipa.*redacted*' > >> sid : NULL > >> trust_direction : 0x00000003 (3) > >> 1: LSA_TRUST_DIRECTION_INBOUND > >> 1: LSA_TRUST_DIRECTION_OUTBOUND > >> trust_type : > >>LSA_TRUST_TYPE_MIT > > > > > >and knows this domain already because a trust to the Kerberos realm was > >already created. > > > >If possible please remove the Kerberos trust from the AD side and try > >again. > > > >Please note that you cannot have trust to two realms which share the > >same realm name. > > > >HTH > > > >bye, > >Sumit > > > >>(3) > >> trust_attributes : 0x00000000 (0) > >> 0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE > >> 0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY > >> 0: > >>LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN > >> 0: > >>LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE > >> 0: > >>LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION > >> 0: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST > >> 0: > >>LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL > >> 0: > >>LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION > >> posix_offset: struct > >>lsa_TrustDomainInfoPosixOffset > >> posix_offset : 0x00000000 (0) > >> auth_info: struct lsa_TrustDomainInfoAuthInfo > >> incoming_count : 0x00000000 (0) > >> incoming_current_auth_info: NULL > >> incoming_previous_auth_info: NULL > >> outgoing_count : 0x00000000 (0) > >> outgoing_current_auth_info: NULL > >> outgoing_previous_auth_info: NULL > >> result : NT_STATUS_OK > >>rpc reply data: > >>[0000] 00 00 02 00 08 00 00 00 1A 00 1C 00 04 00 02 00 ........ > >>........ > >>[0010] 1A 00 1C 00 08 00 02 00 00 00 00 00 03 00 00 00 ........ > >>........ > >>[0020] 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ > >>........ > >>[0030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ > >>........ > >>[0040] 00 00 00 00 0E 00 00 00 00 00 00 00 0D 00 00 00 ........ > >>........ > >>[0050] 69 00 70 00 61 00 2E 00 68 00 73 00 61 00 2E 00 i.p.a... h... > >>[0060] 63 00 6F 00 2E 00 75 00 6B 00 00 00 0E 00 00 00 c.o...u. > >>k....... > >>[0070] 00 00 00 00 0D 00 00 00 69 00 70 00 61 00 2E 00 ........ > >>i.p.a... > >>[0080] 68 00 73 00 61 00 2E 00 63 00 6F 00 2E 00 75 00 ... c.o...u. > >>[0090] 6B 00 00 00 00 00 00 00 k....... > >>[Tue Jun 30 13:17:01.369249 2015] [:error] [pid 1063] ipa: ERROR: > >>non-public: TypeError: default/librpc/gen_ndr/py_lsa.c:9436: Expected > >>type > >>'security.dom_sid' for 'py_dom_sid' of type 'NoneType' > >>[Tue Jun 30 13:17:01.369285 2015] [:error] [pid 1063] Traceback (most > >>recent > >>call last): > >>[Tue Jun 30 13:17:01.369289 2015] [:error] [pid 1063] File > >>"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 348, in > >>wsgi_execute > >>[Tue Jun 30 13:17:01.369292 2015] [:error] [pid 1063] result = > >>self.Command[name](*args, **options) > >>[Tue Jun 30 13:17:01.369294 2015] [:error] [pid 1063] File > >>"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 439, in > >>__call__ > >>[Tue Jun 30 13:17:01.369303 2015] [:error] [pid 1063] ret = > >>self.run(*args, **options) > >>[Tue Jun 30 13:17:01.369306 2015] [:error] [pid 1063] File > >>"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 754, in run > >>[Tue Jun 30 13:17:01.369308 2015] [:error] [pid 1063] return > >>self.execute(*args, **options) > >>[Tue Jun 30 13:17:01.369310 2015] [:error] [pid 1063] File > >>"/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line 474, in > >>execute > >>[Tue Jun 30 13:17:01.369313 2015] [:error] [pid 1063] result = > >>self.execute_ad(full_join, *keys, **options) > >>[Tue Jun 30 13:17:01.369315 2015] [:error] [pid 1063] File > >>"/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line 709, in > >>execute_ad > >>[Tue Jun 30 13:17:01.369318 2015] [:error] [pid 1063] > >>self.realm_passwd > >>[Tue Jun 30 13:17:01.369320 2015] [:error] [pid 1063] File > >>"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1222, in > >>join_ad_full_credentials > >>[Tue Jun 30 13:17:01.369323 2015] [:error] [pid 1063] > >>self.remote_domain.establish_trust(self.local_domain, trustdom_pass) > >>[Tue Jun 30 13:17:01.369325 2015] [:error] [pid 1063] File > >>"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 963, in > >>establish_trust > >>[Tue Jun 30 13:17:01.369327 2015] [:error] [pid 1063] > >>self._pipe.DeleteTrustedDomain(self._policy_handle, res.info_ex.sid) > >>[Tue Jun 30 13:17:01.369330 2015] [:error] [pid 1063] TypeError: > >>default/librpc/gen_ndr/py_lsa.c:9436: Expected type 'security.dom_sid' > >>for > >>'py_dom_sid' of type 'NoneType' > >>[Tue Jun 30 13:17:01.369648 2015] [:error] [pid 1063] ipa: INFO: > >>[jsonserver_session] admin@IPA.*redacted*: trust_add(u'*redacted*', > >>trust_type=u'ad', realm_admin=u'*redacted*', realm_passwd=u'********', > >>all=False, raw=False, version=u'2.112'): TypeError > >> > >> > >>These are whole logs with "log level = 100" set in smb.conf.empty. Log > >>files > >>were emptied before the above command was ran. If there is any other > >>information required please let me know. > >> > >>Software versions: > >>Fedora 22: 4.1.4 > >>Fedora 22: 4.2 Alpha 1 > >> > >>Oracle Linux 7.1 64bit: without DNS > >>ipa-server.x86_64 - 4.1.0-18.0.1-el17_1.3 > >>ipa-server-trust-ad.x86_64 - 4.1.0-18.0.1-el17_1.3 > >> > >>CentOS 7.1 64bit: With DNS > >>ipa-server.x86_64 - 4.1.0-18-el7.centos.3 > >>ipa-server-trust-ad.x86_64 - 4.1.0-18-el7.centos.3 > >> > >> > >>Regards, > >>David > >> > >>-- > >>Manage your subscription for the Freeipa-users mailing list: > >>https://www.redhat.com/mailman/listinfo/freeipa-users > >>Go to http://freeipa.org for more info on the project > > Thank you, removed this from AD and tried the command again and this time > validated.
Thank you for the feedback, glad I could help. Thanks for finding and reopening https://fedorahosted.org/freeipa/ticket/4999. I've added a comment about the reason of this issue. bye, Sumit > > Cheers, > David -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project