Apologies, now with proper subject. On 13 April 2017 at 16:49, Tiemen Ruiten <t.rui...@rdmedia.com> wrote:
> Hello! > > As I understand from this > <https://www.redhat.com/archives/freeipa-users/2016-October/msg00147.html> > thread, > it should be possible to setup a trust between FreeIPA and Samba4. My AD > domain is clients.i.rdmedia.com, it's a subdomain of my FreeIPA domain, > i.rdmedia.com. Therefore I added a global forwarder on the Samba AD DC to > one of the FreeIPA replica's and lookup of SRV records in both domains > appears to work. > > However when I try to add the trust I get "ipa: ERROR an internal error > has occurred". I ran the trust-add command with full debug logging as > described on https://www.freeipa.org/page/Active_Directory_trust_setup# > Debugging_trust, so I can provide these logs privately upon request. > > I suspect some DNS-issue, as right after I try to setup the trust, dynamic > updates stop working on the AD Domain Controller with this error: > > tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor > code may provide more information, Minor = Server DNS/fluorine.clients.i. > rdmedia....@i.rdmedia.com not found in Kerberos database. > Failed nsupdate: 1 > update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._ > sites.ForestDnsZones.clients.i.rdmedia.com fluorine.clients.i.rdmedia.com > 389 > Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._ > sites.ForestDnsZones.clients.i.rdmedia.com fluorine.clients.i.rdmedia.com > 389 (add) > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones. > clients.i.rdmedia.com. 900 IN SRV 0 100 389 fluorine.clients.i.rdmedia.com > . > > Many thanks in advance for your assistance. > > > -- > Tiemen Ruiten > Systems Engineer > R&D Media > -- Tiemen Ruiten Systems Engineer R&D Media
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project