On Wed, Dec 28, 2016 at 08:52:41AM -0500, Chris Dagdigian wrote:
> Hi folks,
> I may have network blocks between one of my IPA replicas and the *many*
> remote AD servers that need to be queried but I can only see evidence of
> this in the authentication failures and the debug level logging.
> Not sure how to test from the command line to verify connectivity or narrow
> down which ports may be getting blocked.
> Are there any common CLI techniques, ldaps:// search queries or other
> commands that could be run from an IPA replica to confirm basic
> communication with a remote AD controller?

1) kinit with the trust keytab. The exact principals depend on your IPA
and Windows realm names, in my test setup it is:

# ls /var/lib/sss/keytabs/
#kinit -kt /var/lib/sss/keytabs/win.trust.test.keytab 'IPA$@WIN.TRUST.TEST'
(the principal is taken from the keytab, see klist -k

2) search the DC
#ldapsearch -Y GSSAPI -H ldap://dc.win.trust.test -b dc=win,dc=trust,dc=test -s 

btw at the moment it is not possible to set custom DCs to talk to. This
feature will come in the next version (sssd-1-15).

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to