On Wed, Dec 28, 2016 at 08:52:41AM -0500, Chris Dagdigian wrote: > > Hi folks, > > I may have network blocks between one of my IPA replicas and the *many* > remote AD servers that need to be queried but I can only see evidence of > this in the authentication failures and the debug level logging. > > Not sure how to test from the command line to verify connectivity or narrow > down which ports may be getting blocked. > > Are there any common CLI techniques, ldaps:// search queries or other > commands that could be run from an IPA replica to confirm basic > communication with a remote AD controller?
1) kinit with the trust keytab. The exact principals depend on your IPA and Windows realm names, in my test setup it is: # ls /var/lib/sss/keytabs/ win.trust.test.keytab #kinit -kt /var/lib/sss/keytabs/win.trust.test.keytab 'IPA$@WIN.TRUST.TEST' (the principal is taken from the keytab, see klist -k /var/lib/sss/keytabs/win.trust.test.keytab) 2) search the DC #ldapsearch -Y GSSAPI -H ldap://dc.win.trust.test -b dc=win,dc=trust,dc=test -s base btw at the moment it is not possible to set custom DCs to talk to. This feature will come in the next version (sssd-1-15). -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project