[Freeipa-users] AD -- IPA trust --::-- ipa: ERROR: Insufficient access: CIFS server denied your credentials

2015-04-11 Thread g . fer . ordas 

Guys

Anyway of simply skipping the CIFS mount credentials bit?
I do not actually need the AD CIFS at this point.

ipa trust-add --type=ad ad.domain.com --admin Admin  --password
Active Directory domain administrator's password:
ipa: ERROR: Insufficient access: CIFS server ad.domain.com denied your 
credentials


---
ot NTLMSSP neg_flags=0x60088205
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
s4_tevent: Added timed event dcerpc_timeout_handler: 0x7f31e9911d50
s4_tevent: Destroying timer event 0x7f31e9911d50 
dcerpc_timeout_handler

dcerpc: alter_resp - rpc fault: WERR_ACCESS_DENIED
s4_tevent: Schedule immediate event tevent_req_trigger: 0x7f31e99093a0
s4_tevent: Run immediate event tevent_req_trigger: 0x7f31e99093a0
Failed to bind to uuid 12345778-1234-abcd-ef00-0123456789ab for 
12345778-1234-abcd-ef00-012345678...@ad.ad.domain.com[49155] 
NT_STATUS_LOGON_FAILURE
s4_tevent: Destroying timer event 0x7f31e80539d0 
dcerpc_connect_timeout_handler
[Sat Apr 11 06:00:17.408265 2015] [:error] [pid 25074] ipa: INFO: 
[jsonserver_session] ad...@linux.domain.com: trust_add(u'domain.com', 
trust_type=u'ad', realm_admin=Admin', realm_passwd=u'', 
all=False, raw=False, version=u'2.114'): ACIError




This is freeipa-server-4.1.4-1.el7.centos.x86_64

Thanks!!

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] AD -- IPA trust --::-- ipa: ERROR: Insufficient access: CIFS server denied your credentials

2015-04-11 Thread Alexander Bokovoy 

On Sat, 11 Apr 2015, g.fer.or...@unicyber.co.uk wrote:

Guys

Anyway of simply skipping the CIFS mount credentials bit?
I do not actually need the AD CIFS at this point.

What do you mean by that?

Establishing trust uses SMB protocols family, it is not using 'CIFS
mount' but file system operations are part of SMB protocols family,
along with authentication, authorization, domain and trust management.

Your 'Admin' user on AD side should be member of either Enteprise
Admins, Domain Admins of the forest root domain, or Schema Admins
groups. See
https://technet.microsoft.com/en-us/library/cc755700%28v=ws.10%29.aspx
for details.



ipa trust-add --type=ad ad.domain.com --admin Admin  --password
Active Directory domain administrator's password:
ipa: ERROR: Insufficient access: CIFS server ad.domain.com denied 
your credentials


---
ot NTLMSSP neg_flags=0x60088205
 NTLMSSP_NEGOTIATE_UNICODE
 NTLMSSP_REQUEST_TARGET
 NTLMSSP_NEGOTIATE_NTLM
 NTLMSSP_NEGOTIATE_ALWAYS_SIGN
 NTLMSSP_NEGOTIATE_NTLM2
 NTLMSSP_NEGOTIATE_128
 NTLMSSP_NEGOTIATE_KEY_EXCH
s4_tevent: Added timed event dcerpc_timeout_handler: 0x7f31e9911d50
s4_tevent: Destroying timer event 0x7f31e9911d50 
dcerpc_timeout_handler

dcerpc: alter_resp - rpc fault: WERR_ACCESS_DENIED
s4_tevent: Schedule immediate event tevent_req_trigger: 0x7f31e99093a0
s4_tevent: Run immediate event tevent_req_trigger: 0x7f31e99093a0
Failed to bind to uuid 12345778-1234-abcd-ef00-0123456789ab for 
12345778-1234-abcd-ef00-012345678...@ad.ad.domain.com[49155] 
NT_STATUS_LOGON_FAILURE
s4_tevent: Destroying timer event 0x7f31e80539d0 
dcerpc_connect_timeout_handler
[Sat Apr 11 06:00:17.408265 2015] [:error] [pid 25074] ipa: INFO: 
[jsonserver_session] ad...@linux.domain.com: trust_add(u'domain.com', 
trust_type=u'ad', realm_admin=Admin', realm_passwd=u'', 
all=False, raw=False, version=u'2.114'): ACIError




This is freeipa-server-4.1.4-1.el7.centos.x86_64

Thanks!!

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project