Excerpt from the httpd error_log on the FreeIPA replica: [Thu Apr 13 11:17:44.072996 2017] [:error] [pid 28346] ipa: INFO: [jsonserver_kerb] ad...@i.rdmedia.com: ping(): SUCCESS [Thu Apr 13 11:17:50.708019 2017] [:error] [pid 28347] ipa: ERROR: non-public: RuntimeError: (-1073741811, 'Unexpected information received') [Thu Apr 13 11:17:50.708121 2017] [:error] [pid 28347] Traceback (most recent call last): [Thu Apr 13 11:17:50.708132 2017] [:error] [pid 28347] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 366, in wsgi_execute [Thu Apr 13 11:17:50.708140 2017] [:error] [pid 28347] result = command(*args, **options) [Thu Apr 13 11:17:50.708147 2017] [:error] [pid 28347] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 449, in __call__ [Thu Apr 13 11:17:50.708154 2017] [:error] [pid 28347] return self.__do_call(*args, **options) [Thu Apr 13 11:17:50.708161 2017] [:error] [pid 28347] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 477, in __do_call [Thu Apr 13 11:17:50.708168 2017] [:error] [pid 28347] ret = self.run(*args, **options) [Thu Apr 13 11:17:50.708213 2017] [:error] [pid 28347] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 799, in run [Thu Apr 13 11:17:50.708223 2017] [:error] [pid 28347] return self.execute(*args, **options) [Thu Apr 13 11:17:50.708229 2017] [:error] [pid 28347] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 739, in execute [Thu Apr 13 11:17:50.708237 2017] [:error] [pid 28347] result = self.execute_ad(full_join, *keys, **options) [Thu Apr 13 11:17:50.708244 2017] [:error] [pid 28347] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 989, in execute_ad [Thu Apr 13 11:17:50.708258 2017] [:error] [pid 28347] trust_type [Thu Apr 13 11:17:50.708265 2017] [:error] [pid 28347] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1683, in join_ad_full_credentials [Thu Apr 13 11:17:50.708272 2017] [:error] [pid 28347] trust_type, trust_external) [Thu Apr 13 11:17:50.708279 2017] [:error] [pid 28347] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1363, in establish_trust [Thu Apr 13 11:17:50.708285 2017] [:error] [pid 28347] self.update_ftinfo(another_domain) [Thu Apr 13 11:17:50.708292 2017] [:error] [pid 28347] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1252, in update_ftinfo [Thu Apr 13 11:17:50.708299 2017] [:error] [pid 28347] ftinfo, 0) [Thu Apr 13 11:17:50.708305 2017] [:error] [pid 28347] RuntimeError: (-1073741811, 'Unexpected information received') [Thu Apr 13 11:17:50.709161 2017] [:error] [pid 28347] ipa: INFO: [jsonserver_kerb] ad...@i.rdmedia.com: trust_add/1(u'clients.i.rdmedia.com', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', version=u'2.213'): RuntimeError
On 13 April 2017 at 18:08, Tiemen Ruiten <t.rui...@rdmedia.com> wrote: > Of course: > > FreeIPA versions: > [root@ipa-ams-01 samba]# rpm -qa | grep ipa > libipa_hbac-1.14.0-43.el7_3.14.x86_64 > sssd-ipa-1.14.0-43.el7_3.14.x86_64 > python2-ipaclient-4.4.0-14.el7.centos.7.noarch > ipa-server-trust-ad-4.4.0-14.el7.centos.7.x86_64 > ipa-client-common-4.4.0-14.el7.centos.7.noarch > python-iniparse-0.4-9.el7.noarch > python-libipa_hbac-1.14.0-43.el7_3.14.x86_64 > python2-ipalib-4.4.0-14.el7.centos.7.noarch > ipa-admintools-4.4.0-14.el7.centos.7.noarch > ipa-server-common-4.4.0-14.el7.centos.7.noarch > ipa-server-4.4.0-14.el7.centos.7.x86_64 > ipa-server-dns-4.4.0-14.el7.centos.7.noarch > python-ipaddress-1.0.16-2.el7.noarch > ipa-client-4.4.0-14.el7.centos.7.x86_64 > python2-ipaserver-4.4.0-14.el7.centos.7.noarch > ipa-common-4.4.0-14.el7.centos.7.noarch > > Samba AD DC versions: > Also CentOS 7, Samba 4.6.2, built from source, configure with one option: > --with-systemd > > FreeIPA controls i.rdmedia.com, prod.ams.i.rdmedia.com, > test.ams.i.rdmedia.com and prod.nyc.i.rdmedia.com. > AD controls only clients.i.rdmedia.com and forwards all other DNS queries > to ipa-ams-01. > > Samba uses the BIND9_DLZ backend for DNS. > > Regarding the commands run: After provisioning the AD domain, I followed > this <https://www.freeipa.org/page/Active_Directory_trust_setup> guide, > except I set up the global forwarder in /etc/named.conf manually. > > I got the "ipa: ERROR an internal error has occurred" after running: > > ipa trust-add --type=ad clients.i.rdmedia.com --admin Administrator > --password > > On 13 April 2017 at 17:09, Alexander Bokovoy <aboko...@redhat.com> wrote: > >> On to, 13 huhti 2017, Tiemen Ruiten wrote: >> >>> Apologies, now with proper subject. >>> >>> On 13 April 2017 at 16:49, Tiemen Ruiten <t.rui...@rdmedia.com> wrote: >>> >>> Hello! >>>> >>>> As I understand from this >>>> <https://www.redhat.com/archives/freeipa-users/2016-October/ >>>> msg00147.html> thread, >>>> >>>> it should be possible to setup a trust between FreeIPA and Samba4. My AD >>>> domain is clients.i.rdmedia.com, it's a subdomain of my FreeIPA domain, >>>> i.rdmedia.com. Therefore I added a global forwarder on the Samba AD DC >>>> to >>>> one of the FreeIPA replica's and lookup of SRV records in both domains >>>> appears to work. >>>> >>>> However when I try to add the trust I get "ipa: ERROR an internal error >>>> has occurred". I ran the trust-add command with full debug logging as >>>> described on https://www.freeipa.org/page/Active_Directory_trust_setup# >>>> Debugging_trust, so I can provide these logs privately upon request. >>>> >>>> I suspect some DNS-issue, as right after I try to setup the trust, >>>> dynamic >>>> updates stop working on the AD Domain Controller with this error: >>>> >>>> tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor >>>> code may provide more information, Minor = Server >>>> DNS/fluorine.clients.i. >>>> rdmedia....@i.rdmedia.com not found in Kerberos database. >>>> Failed nsupdate: 1 >>>> update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._ >>>> sites.ForestDnsZones.clients.i.rdmedia.com >>>> fluorine.clients.i.rdmedia.com >>>> 389 >>>> Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._ >>>> sites.ForestDnsZones.clients.i.rdmedia.com >>>> fluorine.clients.i.rdmedia.com >>>> 389 (add) >>>> Outgoing update query: >>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >>>> ;; UPDATE SECTION: >>>> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones. >>>> clients.i.rdmedia.com. 900 IN SRV 0 100 389 >>>> fluorine.clients.i.rdmedia.com >>>> . >>>> >>>> Many thanks in advance for your assistance. >>>> >>> It would help if you would provide more details on your setup. The above >> doesn't give a clue on: >> - what are FreeIPA and Samba AD DC versions >> - on what OS versions they run, correspondingly >> - what DNS zones each of them control >> - what commands did you run >> >> -- >> / Alexander Bokovoy >> > > > > -- > Tiemen Ruiten > Systems Engineer > R&D Media > -- Tiemen Ruiten Systems Engineer R&D Media
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
