subject:"\[Freeipa\-users\] add trust between FreeIPA and Samba AD DC"

Re: [Freeipa-users] add trust between FreeIPA and Samba AD DC

2017-04-28 Thread Jakub Hrozek

On Fri, Apr 28, 2017 at 07:27:20PM +0200, Tiemen Ruiten wrote:
> Hello Alexander, list,
> 
> I did get further by specifying --external=true in the ipa trust-add
> command, it works now for *both* the Windows and the Samba domain:
> 
> ipa trust-add office.rdmedia.com --type=ad --admin Administrator --password
> --two-way=false --external=true
> 
> IPA reports the trust is established successfully and I can also see it in
> Active Directory Domains and Trusts. However, adding users/groups to an
> external group fails:
> 
> [root@ipa-ams-01 tiemen]# ipa group-add-member office_admins_external
> --external "OFFICE\domain admins"
> [member user]:
> [member group]:
>   Group name: office_admins_external
>   Description: office.rdmedia.com admins external map
>   Failed members:
> member user:
> member group: *OFFICE\domain admins: trusted domain object not found*
> -
> Number of members added 0
> -

Domain Admins is a domain-local group typically. I would advise against
using those for cross-forest trust memberships in general.

Can you also check if you can resolve objects from the trusted AD/Samba
domain? Try:
getent passwd administra...@office.rdmedia.com
for example.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] add trust between FreeIPA and Samba AD DC

2017-04-28 Thread Tiemen Ruiten

Hello Alexander, list,

I did get further by specifying --external=true in the ipa trust-add
command, it works now for *both* the Windows and the Samba domain:

ipa trust-add office.rdmedia.com --type=ad --admin Administrator --password
--two-way=false --external=true

IPA reports the trust is established successfully and I can also see it in
Active Directory Domains and Trusts. However, adding users/groups to an
external group fails:

[root@ipa-ams-01 tiemen]# ipa group-add-member office_admins_external
--external "OFFICE\domain admins"
[member user]:
[member group]:
  Group name: office_admins_external
  Description: office.rdmedia.com admins external map
  Failed members:
member user:
member group: *OFFICE\domain admins: trusted domain object not found*
-
Number of members added 0
-

Of course that group exists on the Samba DC:

[root@fluorine samba]# wbinfo -g
OFFICE\cert publishers
OFFICE\ras and ias servers
OFFICE\allowed rodc password replication group
OFFICE\denied rodc password replication group
OFFICE\dnsadmins
OFFICE\enterprise read-only domain controllers
OFFICE\domain admins
OFFICE\domain users
OFFICE\domain guests
OFFICE\domain computers
OFFICE\domain controllers
OFFICE\schema admins
OFFICE\enterprise admins
OFFICE\group policy creator owners
OFFICE\read-only domain controllers
OFFICE\dnsupdateproxy

BTW, adding a two-way trust fails because the AD DC reports it can't
contact any IPA server. Firewalls on all servers have been disabled.

I would appreciate any insights!

On 28 April 2017 at 12:09, Tiemen Ruiten  wrote:

> Hello,
>
> I set up a fresh Windows Server 2012R2 instance, configured a new forest
> named 'clients.rdmedia.com' and I'm getting the same error in the httpd
> error_log after running 'ipa trust-add clients.rdmedia.com --type=ad
> --admin=Administrator --password':
>
> [Fri Apr 28 12:05:00.420174 2017] [:error] [pid 26417] ipa: ERROR:
> non-public: RuntimeError: (-1073741811, 'Unexpected information received')
> [Fri Apr 28 12:05:00.420225 2017] [:error] [pid 26417] Traceback (most
> recent call last):
> [Fri Apr 28 12:05:00.420230 2017] [:error] [pid 26417]   File
> "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 366, in
> wsgi_execute
> [Fri Apr 28 12:05:00.420235 2017] [:error] [pid 26417] result =
> command(*args, **options)
> [Fri Apr 28 12:05:00.420239 2017] [:error] [pid 26417]   File
> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 449, in
> __call__
> [Fri Apr 28 12:05:00.420243 2017] [:error] [pid 26417] return
> self.__do_call(*args, **options)
> [Fri Apr 28 12:05:00.420247 2017] [:error] [pid 26417]   File
> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 477, in
> __do_call
> [Fri Apr 28 12:05:00.420251 2017] [:error] [pid 26417] ret =
> self.run(*args, **options)
> [Fri Apr 28 12:05:00.420255 2017] [:error] [pid 26417]   File
> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 799, in run
> [Fri Apr 28 12:05:00.420258 2017] [:error] [pid 26417] return
> self.execute(*args, **options)
> [Fri Apr 28 12:05:00.420262 2017] [:error] [pid 26417]   File
> "/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 739,
> in execute
> [Fri Apr 28 12:05:00.420267 2017] [:error] [pid 26417] result =
> self.execute_ad(full_join, *keys, **options)
> [Fri Apr 28 12:05:00.420297 2017] [:error] [pid 26417]   File
> "/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 989,
> in execute_ad
> [Fri Apr 28 12:05:00.420304 2017] [:error] [pid 26417] trust_type
> [Fri Apr 28 12:05:00.420308 2017] [:error] [pid 26417]   File
> "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1683, in
> join_ad_full_credentials
> [Fri Apr 28 12:05:00.420312 2017] [:error] [pid 26417] trust_type,
> trust_external)
> [Fri Apr 28 12:05:00.420316 2017] [:error] [pid 26417]   File
> "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1363, in
> establish_trust
> [Fri Apr 28 12:05:00.420320 2017] [:error] [pid 26417]
> self.update_ftinfo(another_domain)
> [Fri Apr 28 12:05:00.420324 2017] [:error] [pid 26417]   File
> "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1252, in
> update_ftinfo
> [Fri Apr 28 12:05:00.420328 2017] [:error] [pid 26417] ftinfo, 0)
> [Fri Apr 28 12:05:00.420331 2017] [:error] [pid 26417] RuntimeError:
> (-1073741811, 'Unexpected information received')
> [Fri Apr 28 12:05:00.420975 2017] [:error] [pid 26417] ipa: INFO:
> [jsonserver_session] ad...@i.rdmedia.com: trust_add/1(u'clients.rdmedia.
> com', trust_type=u'ad', realm_admin=u'Administrator',
> realm_passwd=u'', version=u'2.213'): RuntimeError
>
> Am I doing something wrong? Logs are ofcourse available privately on
> request.
>
> On 14 April 2017 at 15:13, Alexander Bokovoy  wrote:
>
>> On pe, 14 huhti 2017, Tiemen Ruiten wrote:
>>
>>> Yes, office.rdmedia.com is the Samba AD domain.
>>>

Re: [Freeipa-users] add trust between FreeIPA and Samba AD DC

2017-04-28 Thread Tiemen Ruiten

Hello,

I set up a fresh Windows Server 2012R2 instance, configured a new forest
named 'clients.rdmedia.com' and I'm getting the same error in the httpd
error_log after running 'ipa trust-add clients.rdmedia.com --type=ad
--admin=Administrator --password':

[Fri Apr 28 12:05:00.420174 2017] [:error] [pid 26417] ipa: ERROR:
non-public: RuntimeError: (-1073741811, 'Unexpected information received')
[Fri Apr 28 12:05:00.420225 2017] [:error] [pid 26417] Traceback (most
recent call last):
[Fri Apr 28 12:05:00.420230 2017] [:error] [pid 26417]   File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 366, in
wsgi_execute
[Fri Apr 28 12:05:00.420235 2017] [:error] [pid 26417] result =
command(*args, **options)
[Fri Apr 28 12:05:00.420239 2017] [:error] [pid 26417]   File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 449, in __call__
[Fri Apr 28 12:05:00.420243 2017] [:error] [pid 26417] return
self.__do_call(*args, **options)
[Fri Apr 28 12:05:00.420247 2017] [:error] [pid 26417]   File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 477, in
__do_call
[Fri Apr 28 12:05:00.420251 2017] [:error] [pid 26417] ret =
self.run(*args, **options)
[Fri Apr 28 12:05:00.420255 2017] [:error] [pid 26417]   File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 799, in run
[Fri Apr 28 12:05:00.420258 2017] [:error] [pid 26417] return
self.execute(*args, **options)
[Fri Apr 28 12:05:00.420262 2017] [:error] [pid 26417]   File
"/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 739, in
execute
[Fri Apr 28 12:05:00.420267 2017] [:error] [pid 26417] result =
self.execute_ad(full_join, *keys, **options)
[Fri Apr 28 12:05:00.420297 2017] [:error] [pid 26417]   File
"/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 989, in
execute_ad
[Fri Apr 28 12:05:00.420304 2017] [:error] [pid 26417] trust_type
[Fri Apr 28 12:05:00.420308 2017] [:error] [pid 26417]   File
"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1683, in
join_ad_full_credentials
[Fri Apr 28 12:05:00.420312 2017] [:error] [pid 26417] trust_type,
trust_external)
[Fri Apr 28 12:05:00.420316 2017] [:error] [pid 26417]   File
"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1363, in
establish_trust
[Fri Apr 28 12:05:00.420320 2017] [:error] [pid 26417]
self.update_ftinfo(another_domain)
[Fri Apr 28 12:05:00.420324 2017] [:error] [pid 26417]   File
"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1252, in
update_ftinfo
[Fri Apr 28 12:05:00.420328 2017] [:error] [pid 26417] ftinfo, 0)
[Fri Apr 28 12:05:00.420331 2017] [:error] [pid 26417] RuntimeError:
(-1073741811, 'Unexpected information received')
[Fri Apr 28 12:05:00.420975 2017] [:error] [pid 26417] ipa: INFO:
[jsonserver_session] ad...@i.rdmedia.com: trust_add/1(u'clients.rdmedia.com',
trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'',
version=u'2.213'): RuntimeError

Am I doing something wrong? Logs are ofcourse available privately on
request.

On 14 April 2017 at 15:13, Alexander Bokovoy  wrote:

> On pe, 14 huhti 2017, Tiemen Ruiten wrote:
>
>> Yes, office.rdmedia.com is the Samba AD domain.
>>
>> [root@fluorine samba]# samba-tool domain trust list
>> Type[Forest]   Transitive[Yes] Direction[INCOMING] Name[i.rdmedia.com]
>> [root@fluorine samba]# samba-tool domain trust show i.rdmedia.com
>> LocalDomain Netbios[OFFICE] DNS[office.rdmedia.com]
>> SID[S-1-5-21-482924559-3201240232-3198541477]
>> TrusteDomain:
>>
>> NetbiosName:IPA
>> DnsName:i.rdmedia.com
>> SID:S-1-5-21-3716778977-2487905546-4034507762
>> Type:   0x2 (UPLEVEL)
>> Direction:  0x1 (INBOUND)
>> Attributes: 0x8 (FOREST_TRANSITIVE)
>> PosixOffset:0x (0)
>> kerb_EncTypes:  0x1c
>> (RC4_HMAC_MD5,AES128_CTS_HMAC_SHA1_96,AES256_CTS_HMAC_SHA1_96)
>> Namespaces[0] TDO[i.rdmedia.com]:
>>
> Ok, thanks. I'll look into this part of Samba code later, after Easter.
>
>
>
>>
>> On 14 April 2017 at 14:07, Alexander Bokovoy  wrote:
>>
>> On pe, 14 huhti 2017, Tiemen Ruiten wrote:
>>>
>>> Hello Alexander,

 That's strange, when I try to setup a trust with a domain that isn't a
 subdomain of FreeIPA, I get the same error. I reran:

 ipa-adtrust-install --netbios-name=IPA

 and then ran:

 ipa trust-add --type=ad office.rdmedia.com --admin Administrator
 --password

 office.rdmedia.com is Samba AD?
>>>
>>> Then please show output of
>>>
>>>  samba-tool domain trust list
>>>
>>> and for each domain name in the output above show
>>>
>>>  samba-tool domain trust show 
>>>
>>>
>>>
>>>
>>>
>>> Last bit of the error_log:

 rpc reply data:
 [] 00 00 00 00
 lsa_lsaRSetForestTrustInformation: struct
 lsa_lsaRSetForestTrustInformation
in: struct lsa_lsaRSetForestTrustInformation

Re: [Freeipa-users] add trust between FreeIPA and Samba AD DC

2017-04-14 Thread Alexander Bokovoy


On to, 13 huhti 2017, Alexander Bokovoy wrote:

On Thu, 13 Apr 2017, Tiemen Ruiten wrote:

Excerpt from the httpd error_log on the FreeIPA replica:

[Thu Apr 13 11:17:44.072996 2017] [:error] [pid 28346] ipa: INFO:
[jsonserver_kerb] ad...@i.rdmedia.com: ping(): SUCCESS
[Thu Apr 13 11:17:50.708019 2017] [:error] [pid 28347] ipa: ERROR:
non-public: RuntimeError: (-1073741811, 'Unexpected information received')

Please add 'log level = 10' to /usr/share/ipa/smb.conf.empty and re-try
'ipa trust-add', then send me resulting error_log privately.

To get back to the public mailing list, Tiemen sent me logs and I
confirm that this is the same as 
https://bugzilla.redhat.com/show_bug.cgi?id=1421869

We currently have no solution to this problem (AD is subdomain of IPA
domain).

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] add trust between FreeIPA and Samba AD DC

2017-04-13 Thread Alexander Bokovoy


On Thu, 13 Apr 2017, Tiemen Ruiten wrote:

Excerpt from the httpd error_log on the FreeIPA replica:

[Thu Apr 13 11:17:44.072996 2017] [:error] [pid 28346] ipa: INFO:
[jsonserver_kerb] ad...@i.rdmedia.com: ping(): SUCCESS
[Thu Apr 13 11:17:50.708019 2017] [:error] [pid 28347] ipa: ERROR:
non-public: RuntimeError: (-1073741811, 'Unexpected information received')

Please add 'log level = 10' to /usr/share/ipa/smb.conf.empty and re-try
'ipa trust-add', then send me resulting error_log privately.



[Thu Apr 13 11:17:50.708121 2017] [:error] [pid 28347] Traceback (most
recent call last):
[Thu Apr 13 11:17:50.708132 2017] [:error] [pid 28347]   File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 366, in
wsgi_execute
[Thu Apr 13 11:17:50.708140 2017] [:error] [pid 28347] result =
command(*args, **options)
[Thu Apr 13 11:17:50.708147 2017] [:error] [pid 28347]   File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 449, in __call__
[Thu Apr 13 11:17:50.708154 2017] [:error] [pid 28347] return
self.__do_call(*args, **options)
[Thu Apr 13 11:17:50.708161 2017] [:error] [pid 28347]   File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 477, in
__do_call
[Thu Apr 13 11:17:50.708168 2017] [:error] [pid 28347] ret =
self.run(*args, **options)
[Thu Apr 13 11:17:50.708213 2017] [:error] [pid 28347]   File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 799, in run
[Thu Apr 13 11:17:50.708223 2017] [:error] [pid 28347] return
self.execute(*args, **options)
[Thu Apr 13 11:17:50.708229 2017] [:error] [pid 28347]   File
"/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 739, in
execute
[Thu Apr 13 11:17:50.708237 2017] [:error] [pid 28347] result =
self.execute_ad(full_join, *keys, **options)
[Thu Apr 13 11:17:50.708244 2017] [:error] [pid 28347]   File
"/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 989, in
execute_ad
[Thu Apr 13 11:17:50.708258 2017] [:error] [pid 28347] trust_type
[Thu Apr 13 11:17:50.708265 2017] [:error] [pid 28347]   File
"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1683, in
join_ad_full_credentials
[Thu Apr 13 11:17:50.708272 2017] [:error] [pid 28347] trust_type,
trust_external)
[Thu Apr 13 11:17:50.708279 2017] [:error] [pid 28347]   File
"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1363, in
establish_trust
[Thu Apr 13 11:17:50.708285 2017] [:error] [pid 28347]
self.update_ftinfo(another_domain)
[Thu Apr 13 11:17:50.708292 2017] [:error] [pid 28347]   File
"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1252, in
update_ftinfo
[Thu Apr 13 11:17:50.708299 2017] [:error] [pid 28347] ftinfo, 0)
[Thu Apr 13 11:17:50.708305 2017] [:error] [pid 28347] RuntimeError:
(-1073741811, 'Unexpected information received')
[Thu Apr 13 11:17:50.709161 2017] [:error] [pid 28347] ipa: INFO:
[jsonserver_kerb] ad...@i.rdmedia.com: trust_add/1(u'clients.i.rdmedia.com',
trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'',
version=u'2.213'): RuntimeError


On 13 April 2017 at 18:08, Tiemen Ruiten  wrote:


Of course:

FreeIPA versions:
[root@ipa-ams-01 samba]# rpm -qa | grep ipa
libipa_hbac-1.14.0-43.el7_3.14.x86_64
sssd-ipa-1.14.0-43.el7_3.14.x86_64
python2-ipaclient-4.4.0-14.el7.centos.7.noarch
ipa-server-trust-ad-4.4.0-14.el7.centos.7.x86_64
ipa-client-common-4.4.0-14.el7.centos.7.noarch
python-iniparse-0.4-9.el7.noarch
python-libipa_hbac-1.14.0-43.el7_3.14.x86_64
python2-ipalib-4.4.0-14.el7.centos.7.noarch
ipa-admintools-4.4.0-14.el7.centos.7.noarch
ipa-server-common-4.4.0-14.el7.centos.7.noarch
ipa-server-4.4.0-14.el7.centos.7.x86_64
ipa-server-dns-4.4.0-14.el7.centos.7.noarch
python-ipaddress-1.0.16-2.el7.noarch
ipa-client-4.4.0-14.el7.centos.7.x86_64
python2-ipaserver-4.4.0-14.el7.centos.7.noarch
ipa-common-4.4.0-14.el7.centos.7.noarch

Samba AD DC versions:
Also CentOS 7, Samba 4.6.2, built from source, configure with one option:
--with-systemd

FreeIPA controls i.rdmedia.com, prod.ams.i.rdmedia.com,
test.ams.i.rdmedia.com and prod.nyc.i.rdmedia.com.
AD controls only clients.i.rdmedia.com and forwards all other DNS queries
to ipa-ams-01.

Samba uses the BIND9_DLZ backend for DNS.

Regarding the commands run: After provisioning the AD domain, I followed
this  guide,
except I set up the global forwarder in /etc/named.conf manually.

I got the "ipa: ERROR an internal error has occurred" after running:

ipa trust-add --type=ad clients.i.rdmedia.com --admin Administrator
--password

On 13 April 2017 at 17:09, Alexander Bokovoy  wrote:


On to, 13 huhti 2017, Tiemen Ruiten wrote:


Apologies, now with proper subject.

On 13 April 2017 at 16:49, Tiemen Ruiten  wrote:

Hello!


As I understand from this
 thread,

it should be possible to setup

Re: [Freeipa-users] add trust between FreeIPA and Samba AD DC

2017-04-13 Thread Tiemen Ruiten

Excerpt from the httpd error_log on the FreeIPA replica:

[Thu Apr 13 11:17:44.072996 2017] [:error] [pid 28346] ipa: INFO:
[jsonserver_kerb] ad...@i.rdmedia.com: ping(): SUCCESS
[Thu Apr 13 11:17:50.708019 2017] [:error] [pid 28347] ipa: ERROR:
non-public: RuntimeError: (-1073741811, 'Unexpected information received')
[Thu Apr 13 11:17:50.708121 2017] [:error] [pid 28347] Traceback (most
recent call last):
[Thu Apr 13 11:17:50.708132 2017] [:error] [pid 28347]   File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 366, in
wsgi_execute
[Thu Apr 13 11:17:50.708140 2017] [:error] [pid 28347] result =
command(*args, **options)
[Thu Apr 13 11:17:50.708147 2017] [:error] [pid 28347]   File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 449, in __call__
[Thu Apr 13 11:17:50.708154 2017] [:error] [pid 28347] return
self.__do_call(*args, **options)
[Thu Apr 13 11:17:50.708161 2017] [:error] [pid 28347]   File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 477, in
__do_call
[Thu Apr 13 11:17:50.708168 2017] [:error] [pid 28347] ret =
self.run(*args, **options)
[Thu Apr 13 11:17:50.708213 2017] [:error] [pid 28347]   File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 799, in run
[Thu Apr 13 11:17:50.708223 2017] [:error] [pid 28347] return
self.execute(*args, **options)
[Thu Apr 13 11:17:50.708229 2017] [:error] [pid 28347]   File
"/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 739, in
execute
[Thu Apr 13 11:17:50.708237 2017] [:error] [pid 28347] result =
self.execute_ad(full_join, *keys, **options)
[Thu Apr 13 11:17:50.708244 2017] [:error] [pid 28347]   File
"/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 989, in
execute_ad
[Thu Apr 13 11:17:50.708258 2017] [:error] [pid 28347] trust_type
[Thu Apr 13 11:17:50.708265 2017] [:error] [pid 28347]   File
"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1683, in
join_ad_full_credentials
[Thu Apr 13 11:17:50.708272 2017] [:error] [pid 28347] trust_type,
trust_external)
[Thu Apr 13 11:17:50.708279 2017] [:error] [pid 28347]   File
"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1363, in
establish_trust
[Thu Apr 13 11:17:50.708285 2017] [:error] [pid 28347]
self.update_ftinfo(another_domain)
[Thu Apr 13 11:17:50.708292 2017] [:error] [pid 28347]   File
"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1252, in
update_ftinfo
[Thu Apr 13 11:17:50.708299 2017] [:error] [pid 28347] ftinfo, 0)
[Thu Apr 13 11:17:50.708305 2017] [:error] [pid 28347] RuntimeError:
(-1073741811, 'Unexpected information received')
[Thu Apr 13 11:17:50.709161 2017] [:error] [pid 28347] ipa: INFO:
[jsonserver_kerb] ad...@i.rdmedia.com: trust_add/1(u'clients.i.rdmedia.com',
trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'',
version=u'2.213'): RuntimeError


On 13 April 2017 at 18:08, Tiemen Ruiten  wrote:

> Of course:
>
> FreeIPA versions:
> [root@ipa-ams-01 samba]# rpm -qa | grep ipa
> libipa_hbac-1.14.0-43.el7_3.14.x86_64
> sssd-ipa-1.14.0-43.el7_3.14.x86_64
> python2-ipaclient-4.4.0-14.el7.centos.7.noarch
> ipa-server-trust-ad-4.4.0-14.el7.centos.7.x86_64
> ipa-client-common-4.4.0-14.el7.centos.7.noarch
> python-iniparse-0.4-9.el7.noarch
> python-libipa_hbac-1.14.0-43.el7_3.14.x86_64
> python2-ipalib-4.4.0-14.el7.centos.7.noarch
> ipa-admintools-4.4.0-14.el7.centos.7.noarch
> ipa-server-common-4.4.0-14.el7.centos.7.noarch
> ipa-server-4.4.0-14.el7.centos.7.x86_64
> ipa-server-dns-4.4.0-14.el7.centos.7.noarch
> python-ipaddress-1.0.16-2.el7.noarch
> ipa-client-4.4.0-14.el7.centos.7.x86_64
> python2-ipaserver-4.4.0-14.el7.centos.7.noarch
> ipa-common-4.4.0-14.el7.centos.7.noarch
>
> Samba AD DC versions:
> Also CentOS 7, Samba 4.6.2, built from source, configure with one option:
> --with-systemd
>
> FreeIPA controls i.rdmedia.com, prod.ams.i.rdmedia.com,
> test.ams.i.rdmedia.com and prod.nyc.i.rdmedia.com.
> AD controls only clients.i.rdmedia.com and forwards all other DNS queries
> to ipa-ams-01.
>
> Samba uses the BIND9_DLZ backend for DNS.
>
> Regarding the commands run: After provisioning the AD domain, I followed
> this  guide,
> except I set up the global forwarder in /etc/named.conf manually.
>
> I got the "ipa: ERROR an internal error has occurred" after running:
>
> ipa trust-add --type=ad clients.i.rdmedia.com --admin Administrator
> --password
>
> On 13 April 2017 at 17:09, Alexander Bokovoy  wrote:
>
>> On to, 13 huhti 2017, Tiemen Ruiten wrote:
>>
>>> Apologies, now with proper subject.
>>>
>>> On 13 April 2017 at 16:49, Tiemen Ruiten  wrote:
>>>
>>> Hello!

 As I understand from this
  thread,

 it should be possible to setup a trust between FreeIPA and Samba4. My AD
 domain is

Re: [Freeipa-users] add trust between FreeIPA and Samba AD DC

2017-04-13 Thread Tiemen Ruiten

Of course:

FreeIPA versions:
[root@ipa-ams-01 samba]# rpm -qa | grep ipa
libipa_hbac-1.14.0-43.el7_3.14.x86_64
sssd-ipa-1.14.0-43.el7_3.14.x86_64
python2-ipaclient-4.4.0-14.el7.centos.7.noarch
ipa-server-trust-ad-4.4.0-14.el7.centos.7.x86_64
ipa-client-common-4.4.0-14.el7.centos.7.noarch
python-iniparse-0.4-9.el7.noarch
python-libipa_hbac-1.14.0-43.el7_3.14.x86_64
python2-ipalib-4.4.0-14.el7.centos.7.noarch
ipa-admintools-4.4.0-14.el7.centos.7.noarch
ipa-server-common-4.4.0-14.el7.centos.7.noarch
ipa-server-4.4.0-14.el7.centos.7.x86_64
ipa-server-dns-4.4.0-14.el7.centos.7.noarch
python-ipaddress-1.0.16-2.el7.noarch
ipa-client-4.4.0-14.el7.centos.7.x86_64
python2-ipaserver-4.4.0-14.el7.centos.7.noarch
ipa-common-4.4.0-14.el7.centos.7.noarch

Samba AD DC versions:
Also CentOS 7, Samba 4.6.2, built from source, configure with one option:
--with-systemd

FreeIPA controls i.rdmedia.com, prod.ams.i.rdmedia.com,
test.ams.i.rdmedia.com and prod.nyc.i.rdmedia.com.
AD controls only clients.i.rdmedia.com and forwards all other DNS queries
to ipa-ams-01.

Samba uses the BIND9_DLZ backend for DNS.

Regarding the commands run: After provisioning the AD domain, I followed
this  guide,
except I set up the global forwarder in /etc/named.conf manually.

I got the "ipa: ERROR an internal error has occurred" after running:

ipa trust-add --type=ad clients.i.rdmedia.com --admin Administrator
--password

On 13 April 2017 at 17:09, Alexander Bokovoy  wrote:

> On to, 13 huhti 2017, Tiemen Ruiten wrote:
>
>> Apologies, now with proper subject.
>>
>> On 13 April 2017 at 16:49, Tiemen Ruiten  wrote:
>>
>> Hello!
>>>
>>> As I understand from this
>>> >> msg00147.html> thread,
>>>
>>> it should be possible to setup a trust between FreeIPA and Samba4. My AD
>>> domain is clients.i.rdmedia.com, it's a subdomain of my FreeIPA domain,
>>> i.rdmedia.com. Therefore I added a global forwarder on the Samba AD DC
>>> to
>>> one of the FreeIPA replica's and lookup of SRV records in both domains
>>> appears to work.
>>>
>>> However when I try to add the trust I get "ipa: ERROR an internal error
>>> has occurred". I ran the trust-add command with full debug logging as
>>> described on https://www.freeipa.org/page/Active_Directory_trust_setup#
>>> Debugging_trust, so I can provide these logs privately upon request.
>>>
>>> I suspect some DNS-issue, as right after I try to setup the trust,
>>> dynamic
>>> updates stop working on the AD Domain Controller with this error:
>>>
>>> tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor
>>> code may provide more information, Minor = Server DNS/fluorine.clients.i.
>>> rdmedia@i.rdmedia.com not found in Kerberos database.
>>> Failed nsupdate: 1
>>> update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._
>>> sites.ForestDnsZones.clients.i.rdmedia.com
>>> fluorine.clients.i.rdmedia.com
>>> 389
>>> Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._
>>> sites.ForestDnsZones.clients.i.rdmedia.com
>>> fluorine.clients.i.rdmedia.com
>>> 389 (add)
>>> Outgoing update query:
>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  0
>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>>> ;; UPDATE SECTION:
>>> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.
>>> clients.i.rdmedia.com. 900 IN SRV 0 100 389
>>> fluorine.clients.i.rdmedia.com
>>> .
>>>
>>> Many thanks in advance for your assistance.
>>>
>> It would help if you would provide more details on your setup. The above
> doesn't give a clue on:
> - what are FreeIPA and Samba AD DC versions
> - on what OS versions they run, correspondingly
> - what DNS zones each of them control
> - what commands did you run
>
> --
> / Alexander Bokovoy
>



-- 
Tiemen Ruiten
Systems Engineer
R Media
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] add trust between FreeIPA and Samba AD DC

2017-04-13 Thread Alexander Bokovoy


On to, 13 huhti 2017, Tiemen Ruiten wrote:

Apologies, now with proper subject.

On 13 April 2017 at 16:49, Tiemen Ruiten  wrote:


Hello!

As I understand from this
 
thread,
it should be possible to setup a trust between FreeIPA and Samba4. My AD
domain is clients.i.rdmedia.com, it's a subdomain of my FreeIPA domain,
i.rdmedia.com. Therefore I added a global forwarder on the Samba AD DC to
one of the FreeIPA replica's and lookup of SRV records in both domains
appears to work.

However when I try to add the trust I get "ipa: ERROR an internal error
has occurred". I ran the trust-add command with full debug logging as
described on https://www.freeipa.org/page/Active_Directory_trust_setup#
Debugging_trust, so I can provide these logs privately upon request.

I suspect some DNS-issue, as right after I try to setup the trust, dynamic
updates stop working on the AD Domain Controller with this error:

tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor
code may provide more information, Minor = Server DNS/fluorine.clients.i.
rdmedia@i.rdmedia.com not found in Kerberos database.
Failed nsupdate: 1
update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._
sites.ForestDnsZones.clients.i.rdmedia.com fluorine.clients.i.rdmedia.com
389
Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._
sites.ForestDnsZones.clients.i.rdmedia.com fluorine.clients.i.rdmedia.com
389 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.
clients.i.rdmedia.com. 900 IN SRV 0 100 389 fluorine.clients.i.rdmedia.com
.

Many thanks in advance for your assistance.

It would help if you would provide more details on your setup. The above
doesn't give a clue on:
- what are FreeIPA and Samba AD DC versions
- on what OS versions they run, correspondingly
- what DNS zones each of them control
- what commands did you run

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] add trust between FreeIPA and Samba AD DC

2017-04-13 Thread Tiemen Ruiten

Apologies, now with proper subject.

On 13 April 2017 at 16:49, Tiemen Ruiten  wrote:

> Hello!
>
> As I understand from this
>  
> thread,
> it should be possible to setup a trust between FreeIPA and Samba4. My AD
> domain is clients.i.rdmedia.com, it's a subdomain of my FreeIPA domain,
> i.rdmedia.com. Therefore I added a global forwarder on the Samba AD DC to
> one of the FreeIPA replica's and lookup of SRV records in both domains
> appears to work.
>
> However when I try to add the trust I get "ipa: ERROR an internal error
> has occurred". I ran the trust-add command with full debug logging as
> described on https://www.freeipa.org/page/Active_Directory_trust_setup#
> Debugging_trust, so I can provide these logs privately upon request.
>
> I suspect some DNS-issue, as right after I try to setup the trust, dynamic
> updates stop working on the AD Domain Controller with this error:
>
> tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor
> code may provide more information, Minor = Server DNS/fluorine.clients.i.
> rdmedia@i.rdmedia.com not found in Kerberos database.
> Failed nsupdate: 1
> update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._
> sites.ForestDnsZones.clients.i.rdmedia.com fluorine.clients.i.rdmedia.com
> 389
> Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._
> sites.ForestDnsZones.clients.i.rdmedia.com fluorine.clients.i.rdmedia.com
> 389 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.
> clients.i.rdmedia.com. 900 IN SRV 0 100 389 fluorine.clients.i.rdmedia.com
> .
>
> Many thanks in advance for your assistance.
>
>
> --
> Tiemen Ruiten
> Systems Engineer
> R Media
>



-- 
Tiemen Ruiten
Systems Engineer
R Media
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] add trust between FreeIPA and Samba AD DC

Re: [Freeipa-users] add trust between FreeIPA and Samba AD DC

Re: [Freeipa-users] add trust between FreeIPA and Samba AD DC

Re: [Freeipa-users] add trust between FreeIPA and Samba AD DC

Re: [Freeipa-users] add trust between FreeIPA and Samba AD DC

Re: [Freeipa-users] add trust between FreeIPA and Samba AD DC

Re: [Freeipa-users] add trust between FreeIPA and Samba AD DC

Re: [Freeipa-users] add trust between FreeIPA and Samba AD DC

[Freeipa-users] add trust between FreeIPA and Samba AD DC

9 matches

Site Navigation

Mail list logo

Footer information