Re: [Freeipa-users] AD trust showing offline after reboot
Sumit, Thank you so much for helping me in fixing the problem. About the issue: NetBIOS was disabled in Windows AD, I think this is the default behavior for Windows 2008 R2 instances. After setting 'client max protocol' and 'client min protocol' winbind was able to resolve the AD users. net conf setparm global 'client min protocol' CORE net conf setparm global 'client max protocol' SMB2_02 You may close this case since now. On Tue, May 20, 2014 at 2:27 PM, Supratik Goswami wrote: > Yes, you are correct log level was set to 1. > > I have changed the log level value to 10 and collected the log files > again, PFA. > > [root@ipaserver samba]# net conf setparm global 'log level' 10 > [root@ipaserver samba]# net conf list > [global] > workgroup = IPADOMAIN > realm = IPADOMAIN.EXAMPLE.COM > kerberos method = dedicated keytab > dedicated keytab file = FILE:/etc/samba/samba.keytab > create krb5 conf = no > security = user > domain master = yes > domain logons = yes > max log size = 10 > log file = /var/log/samba/log.%m > passdb backend = > ipasam:ldapi://%2fvar%2frun%2fslapd-IPADOMAIN-EXAMPLE-COM.socket > disable spoolss = yes > ldapsam:trusted = yes > ldap ssl = off > ldap suffix = dc=ipadomain,dc=example,dc=com > ldap user suffix = cn=users,cn=accounts > ldap group suffix = cn=groups,cn=accounts > ldap machine suffix = cn=computers,cn=accounts > rpc_server:epmapper = external > rpc_server:lsarpc = external > rpc_server:lsass = external > rpc_server:lsasd = external > rpc_server:samr = external > rpc_server:netlogon = external > rpc_server:tcpip = yes > rpc_daemon:epmd = fork > rpc_daemon:lsasd = fork > client min protocol = smb2_02 > client max protocol = smb2_02 > log level = 10 > > [share] > comment = Trust test share > read only = no > valid users = S-1-5-21-2212595442-2951398754-4232868618 > path = /share > > > > > > > On Tue, May 20, 2014 at 1:38 PM, Sumit Bose wrote: > >> On Tue, May 20, 2014 at 01:17:42PM +0530, Supratik Goswami wrote: >> > PFA >> >> somewhat switched the log level back to 1 >> >> doing parameter log level = 1 >> >> >> can you check that 'net conf list' shows 'log level 10', if not please >> set it with >> >> net conf setparm 'log level' 10 >> >> bye, >> Sumit >> >> > >> > >> > >> > >> > On Tue, May 20, 2014 at 12:38 PM, Sumit Bose wrote: >> > >> > > On Mon, May 19, 2014 at 05:40:49PM +0530, Supratik Goswami wrote: >> > > > Initially after configuring the setup I rebooted once and I was >> thinking >> > > > that it worked before the reboot but unfortunately it didn't work >> the >> > > first >> > > > time itself. >> > > > >> > > > Still failing after running the commands. >> > > > >> > > > [root@ipaserver ~]# net conf setparm global "client min protocol" >> > > smb2_02 >> > > > [root@ipaserver ~]# net conf setparm global "client max protocol" >> > > smb2_02 >> > > > [root@ipaserver ~]# service winbind restart >> > > > >> > > > Shutting down Winbind services:[ OK ] >> > > > Starting Winbind services: [ OK ] >> > > > >> > > > [root@ipaserver ~]# wbinfo -n 'ADDOMAIN\Domain Admins' >> > > > failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND >> > > > Could not lookup name ADDOMAIN\Domain Admins >> > > > >> > > > [root@ipaserver ~]# wbinfo -u >> > > > [root@ipaserver ~]# >> > > > >> > > > The issue is reproducible every time if anyone follows the steps as >> I >> > > have >> > > > done. >> > > > >> > > >> > > It would be nice if you can send a second round of log files. Please >> > > stop winbind, remove all *winbind* and *wb* log files in >> /var/log/samba, >> > > make sure 'log level' is 10 or higher, >> > > start winbind, call 'wbinfo -n 'ADDOMAIN\Domain Admins', stop winbind, >> > > put all *winbind* and *wb* log files in a tar/zip archive and send the >> > > archive. If you think the archive is too large for a mailing-list fell >> > > free to send them to me directly. >> > > >> > > bye, >> > > Sumit >> > > > >> > > > On Mon, May 19, 2014 at 4:45 PM, Sumit Bose >> wrote: >> > > > >> > > > > On Mon, May 19, 2014 at 04:29:24PM +0530, Supratik Goswami wrote: >> > > > > > Hi >> > > > > > >> > > > > > Let me start from the beginning once again. Let me explain you >> what >> > > > > steps I >> > > > > > followed during the setup. >> > > > > > >> > > > > > I am setting up the environment in Amazon AWS, both Windows AD >> > > server and >> > > > > > Linux IPA configured in EC2. >> > > > > > For configuring Windows 2008 I selected >> > > > > > Windows_Server-2008-R2_SP1-English-64Bit-Base-2014.04.09 >> > > (ami-df8e93b6) >> > > > > > and for configuring IPA server I selected CentOS 6.5 (x86_64) - >> > > Release >> > > > > > Media (ami-8997afe0). >> > > > > > >> > > > > > I followed the steps from >> > > > > > http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup and also >> > > kept the >> > > > > > domain names >> > > > > > similar as in the example. >> > > > > > >> > > > > > IPA server hostname: ipaser
Re: [Freeipa-users] AD trust showing offline after reboot
Yes, you are correct log level was set to 1. I have changed the log level value to 10 and collected the log files again, PFA. [root@ipaserver samba]# net conf setparm global 'log level' 10 [root@ipaserver samba]# net conf list [global] workgroup = IPADOMAIN realm = IPADOMAIN.EXAMPLE.COM kerberos method = dedicated keytab dedicated keytab file = FILE:/etc/samba/samba.keytab create krb5 conf = no security = user domain master = yes domain logons = yes max log size = 10 log file = /var/log/samba/log.%m passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-IPADOMAIN-EXAMPLE-COM.socket disable spoolss = yes ldapsam:trusted = yes ldap ssl = off ldap suffix = dc=ipadomain,dc=example,dc=com ldap user suffix = cn=users,cn=accounts ldap group suffix = cn=groups,cn=accounts ldap machine suffix = cn=computers,cn=accounts rpc_server:epmapper = external rpc_server:lsarpc = external rpc_server:lsass = external rpc_server:lsasd = external rpc_server:samr = external rpc_server:netlogon = external rpc_server:tcpip = yes rpc_daemon:epmd = fork rpc_daemon:lsasd = fork client min protocol = smb2_02 client max protocol = smb2_02 log level = 10 [share] comment = Trust test share read only = no valid users = S-1-5-21-2212595442-2951398754-4232868618 path = /share On Tue, May 20, 2014 at 1:38 PM, Sumit Bose wrote: > On Tue, May 20, 2014 at 01:17:42PM +0530, Supratik Goswami wrote: > > PFA > > somewhat switched the log level back to 1 > > doing parameter log level = 1 > > > can you check that 'net conf list' shows 'log level 10', if not please > set it with > > net conf setparm 'log level' 10 > > bye, > Sumit > > > > > > > > > > > On Tue, May 20, 2014 at 12:38 PM, Sumit Bose wrote: > > > > > On Mon, May 19, 2014 at 05:40:49PM +0530, Supratik Goswami wrote: > > > > Initially after configuring the setup I rebooted once and I was > thinking > > > > that it worked before the reboot but unfortunately it didn't work the > > > first > > > > time itself. > > > > > > > > Still failing after running the commands. > > > > > > > > [root@ipaserver ~]# net conf setparm global "client min protocol" > > > smb2_02 > > > > [root@ipaserver ~]# net conf setparm global "client max protocol" > > > smb2_02 > > > > [root@ipaserver ~]# service winbind restart > > > > > > > > Shutting down Winbind services:[ OK ] > > > > Starting Winbind services: [ OK ] > > > > > > > > [root@ipaserver ~]# wbinfo -n 'ADDOMAIN\Domain Admins' > > > > failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND > > > > Could not lookup name ADDOMAIN\Domain Admins > > > > > > > > [root@ipaserver ~]# wbinfo -u > > > > [root@ipaserver ~]# > > > > > > > > The issue is reproducible every time if anyone follows the steps as I > > > have > > > > done. > > > > > > > > > > It would be nice if you can send a second round of log files. Please > > > stop winbind, remove all *winbind* and *wb* log files in > /var/log/samba, > > > make sure 'log level' is 10 or higher, > > > start winbind, call 'wbinfo -n 'ADDOMAIN\Domain Admins', stop winbind, > > > put all *winbind* and *wb* log files in a tar/zip archive and send the > > > archive. If you think the archive is too large for a mailing-list fell > > > free to send them to me directly. > > > > > > bye, > > > Sumit > > > > > > > > On Mon, May 19, 2014 at 4:45 PM, Sumit Bose > wrote: > > > > > > > > > On Mon, May 19, 2014 at 04:29:24PM +0530, Supratik Goswami wrote: > > > > > > Hi > > > > > > > > > > > > Let me start from the beginning once again. Let me explain you > what > > > > > steps I > > > > > > followed during the setup. > > > > > > > > > > > > I am setting up the environment in Amazon AWS, both Windows AD > > > server and > > > > > > Linux IPA configured in EC2. > > > > > > For configuring Windows 2008 I selected > > > > > > Windows_Server-2008-R2_SP1-English-64Bit-Base-2014.04.09 > > > (ami-df8e93b6) > > > > > > and for configuring IPA server I selected CentOS 6.5 (x86_64) - > > > Release > > > > > > Media (ami-8997afe0). > > > > > > > > > > > > I followed the steps from > > > > > > http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup and also > > > kept the > > > > > > domain names > > > > > > similar as in the example. > > > > > > > > > > > > IPA server hostname: ipaserver > > > > > > IPA domain: ipadomain.example.com > > > > > > IPA NetBIOS: IPADOMAIN > > > > > > > > > > > > AD DC hostname: adserver > > > > > > AD domain: addomain.example.com > > > > > > AD NetBIOS: ADDOMAIN > > > > > > > > > > > > > > > > > > 1. Updated the system and install the packages. > > > > > > > > > > > > # yum update -y > > > > > > # yum install -y "*ipa-server" "*ipa-server-trust-ad" > > > > > > samba4-winbind-clients samba4-winbind samba4-client bind > > > bind-dyndb-ldap > > > > > > > > > > > > List of important packages installed during the update are as > > > follows. > > > > > > > > > > > > bindx86_6
Re: [Freeipa-users] AD trust showing offline after reboot
On Tue, May 20, 2014 at 01:17:42PM +0530, Supratik Goswami wrote: > PFA somewhat switched the log level back to 1 doing parameter log level = 1 can you check that 'net conf list' shows 'log level 10', if not please set it with net conf setparm 'log level' 10 bye, Sumit > > > > > On Tue, May 20, 2014 at 12:38 PM, Sumit Bose wrote: > > > On Mon, May 19, 2014 at 05:40:49PM +0530, Supratik Goswami wrote: > > > Initially after configuring the setup I rebooted once and I was thinking > > > that it worked before the reboot but unfortunately it didn't work the > > first > > > time itself. > > > > > > Still failing after running the commands. > > > > > > [root@ipaserver ~]# net conf setparm global "client min protocol" > > smb2_02 > > > [root@ipaserver ~]# net conf setparm global "client max protocol" > > smb2_02 > > > [root@ipaserver ~]# service winbind restart > > > > > > Shutting down Winbind services:[ OK ] > > > Starting Winbind services: [ OK ] > > > > > > [root@ipaserver ~]# wbinfo -n 'ADDOMAIN\Domain Admins' > > > failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND > > > Could not lookup name ADDOMAIN\Domain Admins > > > > > > [root@ipaserver ~]# wbinfo -u > > > [root@ipaserver ~]# > > > > > > The issue is reproducible every time if anyone follows the steps as I > > have > > > done. > > > > > > > It would be nice if you can send a second round of log files. Please > > stop winbind, remove all *winbind* and *wb* log files in /var/log/samba, > > make sure 'log level' is 10 or higher, > > start winbind, call 'wbinfo -n 'ADDOMAIN\Domain Admins', stop winbind, > > put all *winbind* and *wb* log files in a tar/zip archive and send the > > archive. If you think the archive is too large for a mailing-list fell > > free to send them to me directly. > > > > bye, > > Sumit > > > > > > On Mon, May 19, 2014 at 4:45 PM, Sumit Bose wrote: > > > > > > > On Mon, May 19, 2014 at 04:29:24PM +0530, Supratik Goswami wrote: > > > > > Hi > > > > > > > > > > Let me start from the beginning once again. Let me explain you what > > > > steps I > > > > > followed during the setup. > > > > > > > > > > I am setting up the environment in Amazon AWS, both Windows AD > > server and > > > > > Linux IPA configured in EC2. > > > > > For configuring Windows 2008 I selected > > > > > Windows_Server-2008-R2_SP1-English-64Bit-Base-2014.04.09 > > (ami-df8e93b6) > > > > > and for configuring IPA server I selected CentOS 6.5 (x86_64) - > > Release > > > > > Media (ami-8997afe0). > > > > > > > > > > I followed the steps from > > > > > http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup and also > > kept the > > > > > domain names > > > > > similar as in the example. > > > > > > > > > > IPA server hostname: ipaserver > > > > > IPA domain: ipadomain.example.com > > > > > IPA NetBIOS: IPADOMAIN > > > > > > > > > > AD DC hostname: adserver > > > > > AD domain: addomain.example.com > > > > > AD NetBIOS: ADDOMAIN > > > > > > > > > > > > > > > 1. Updated the system and install the packages. > > > > > > > > > > # yum update -y > > > > > # yum install -y "*ipa-server" "*ipa-server-trust-ad" > > > > > samba4-winbind-clients samba4-winbind samba4-client bind > > bind-dyndb-ldap > > > > > > > > > > List of important packages installed during the update are as > > follows. > > > > > > > > > > bindx86_64 32:9.8.2-0.23.rc1.el6_5.1 > > > > > bind-dyndb-ldap x86_64 2.3-5.el6 > > > > > > > > > > ipa-server x86_64 3.0.0-37.el6 > > > > > ipa-server-trust-ad x86_64 3.0.0-37.el6 > > > > > ipa-admintools x86_64 3.0.0-37.el6 > > > > > ipa-client x86_64 3.0.0-37.el6 > > > > > ipa-pki-ca-themenoarch 9.0.3-7.el6 > > > > > ipa-pki-common-themenoarch 9.0.3-7.el6 > > > > > ipa-python x86_64 3.0.0-37.el6 > > > > > ipa-server-selinux x86_64 3.0.0-37.el6 > > > > > > > > > > samba4-client x86_64 4.0.0-61.el6_5.rc4 > > > > > samba4-winbind x86_64 4.0.0-61.el6_5.rc4 > > > > > samba4-winbind-clients x86_64 4.0.0-61.el6_5.rc4 > > > > > samba4 x86_64 4.0.0-61.el6_5.rc4 > > > > > samba4-common x86_64 4.0.0-61.el6_5.rc4 > > > > > samba4-libs x86_64 4.0.0-61.el6_5.rc4 > > > > > samba4-python x86_64 4.0.0-61.el6_5.rc4 > > > > > > > > ah, sorry, I this might be a known issue, but I got on a wrong track > > > > because I thought it was working initially and only failed after > > reboot. > > > > > > > > Please try to set "client min protocol" and "client max protocol" in > > the > > > > samba configuration: > > > > > > > > net conf setparm global "client min protocol" smb2_02 > > > > net conf setparm global "client max protocol" smb2_02 > > > > > > > > restart winbind and try again. > > > > > > > > HTH > > > > > > > > bye, > > > > Sumit > > > > > > > > > > > > > > 389-ds-ba
Re: [Freeipa-users] AD trust showing offline after reboot
PFA On Tue, May 20, 2014 at 12:38 PM, Sumit Bose wrote: > On Mon, May 19, 2014 at 05:40:49PM +0530, Supratik Goswami wrote: > > Initially after configuring the setup I rebooted once and I was thinking > > that it worked before the reboot but unfortunately it didn't work the > first > > time itself. > > > > Still failing after running the commands. > > > > [root@ipaserver ~]# net conf setparm global "client min protocol" > smb2_02 > > [root@ipaserver ~]# net conf setparm global "client max protocol" > smb2_02 > > [root@ipaserver ~]# service winbind restart > > > > Shutting down Winbind services:[ OK ] > > Starting Winbind services: [ OK ] > > > > [root@ipaserver ~]# wbinfo -n 'ADDOMAIN\Domain Admins' > > failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND > > Could not lookup name ADDOMAIN\Domain Admins > > > > [root@ipaserver ~]# wbinfo -u > > [root@ipaserver ~]# > > > > The issue is reproducible every time if anyone follows the steps as I > have > > done. > > > > It would be nice if you can send a second round of log files. Please > stop winbind, remove all *winbind* and *wb* log files in /var/log/samba, > make sure 'log level' is 10 or higher, > start winbind, call 'wbinfo -n 'ADDOMAIN\Domain Admins', stop winbind, > put all *winbind* and *wb* log files in a tar/zip archive and send the > archive. If you think the archive is too large for a mailing-list fell > free to send them to me directly. > > bye, > Sumit > > > > On Mon, May 19, 2014 at 4:45 PM, Sumit Bose wrote: > > > > > On Mon, May 19, 2014 at 04:29:24PM +0530, Supratik Goswami wrote: > > > > Hi > > > > > > > > Let me start from the beginning once again. Let me explain you what > > > steps I > > > > followed during the setup. > > > > > > > > I am setting up the environment in Amazon AWS, both Windows AD > server and > > > > Linux IPA configured in EC2. > > > > For configuring Windows 2008 I selected > > > > Windows_Server-2008-R2_SP1-English-64Bit-Base-2014.04.09 > (ami-df8e93b6) > > > > and for configuring IPA server I selected CentOS 6.5 (x86_64) - > Release > > > > Media (ami-8997afe0). > > > > > > > > I followed the steps from > > > > http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup and also > kept the > > > > domain names > > > > similar as in the example. > > > > > > > > IPA server hostname: ipaserver > > > > IPA domain: ipadomain.example.com > > > > IPA NetBIOS: IPADOMAIN > > > > > > > > AD DC hostname: adserver > > > > AD domain: addomain.example.com > > > > AD NetBIOS: ADDOMAIN > > > > > > > > > > > > 1. Updated the system and install the packages. > > > > > > > > # yum update -y > > > > # yum install -y "*ipa-server" "*ipa-server-trust-ad" > > > > samba4-winbind-clients samba4-winbind samba4-client bind > bind-dyndb-ldap > > > > > > > > List of important packages installed during the update are as > follows. > > > > > > > > bindx86_64 32:9.8.2-0.23.rc1.el6_5.1 > > > > bind-dyndb-ldap x86_64 2.3-5.el6 > > > > > > > > ipa-server x86_64 3.0.0-37.el6 > > > > ipa-server-trust-ad x86_64 3.0.0-37.el6 > > > > ipa-admintools x86_64 3.0.0-37.el6 > > > > ipa-client x86_64 3.0.0-37.el6 > > > > ipa-pki-ca-themenoarch 9.0.3-7.el6 > > > > ipa-pki-common-themenoarch 9.0.3-7.el6 > > > > ipa-python x86_64 3.0.0-37.el6 > > > > ipa-server-selinux x86_64 3.0.0-37.el6 > > > > > > > > samba4-client x86_64 4.0.0-61.el6_5.rc4 > > > > samba4-winbind x86_64 4.0.0-61.el6_5.rc4 > > > > samba4-winbind-clients x86_64 4.0.0-61.el6_5.rc4 > > > > samba4 x86_64 4.0.0-61.el6_5.rc4 > > > > samba4-common x86_64 4.0.0-61.el6_5.rc4 > > > > samba4-libs x86_64 4.0.0-61.el6_5.rc4 > > > > samba4-python x86_64 4.0.0-61.el6_5.rc4 > > > > > > ah, sorry, I this might be a known issue, but I got on a wrong track > > > because I thought it was working initially and only failed after > reboot. > > > > > > Please try to set "client min protocol" and "client max protocol" in > the > > > samba configuration: > > > > > > net conf setparm global "client min protocol" smb2_02 > > > net conf setparm global "client max protocol" smb2_02 > > > > > > restart winbind and try again. > > > > > > HTH > > > > > > bye, > > > Sumit > > > > > > > > > > > 389-ds-base x86_64 1.2.11.15-32.el6_5 > > > > 389-ds-base-libsx86_64 1.2.11.15-32.el6_5 > > > > > > > > certmonger x86_64 0.61-3.el6 > > > > > > > > krb5-server x86_64 1.10.3-15.el6_5.1 > > > > krb5-workstationx86_64 1.10.3-15.el6_5.1 > > > > > > > > sssdx86_64 1.9.2-129.el6_5.4 > > > > sssd-client x86_64 1.9.2-129.el6_5.4 > > > > > > > > > > > > > > > > > > > > > > > -- > > Warm Regards > > > > Supratik > -- Warm Regards Supratik winb
Re: [Freeipa-users] AD trust showing offline after reboot
On Mon, May 19, 2014 at 05:40:49PM +0530, Supratik Goswami wrote: > Initially after configuring the setup I rebooted once and I was thinking > that it worked before the reboot but unfortunately it didn't work the first > time itself. > > Still failing after running the commands. > > [root@ipaserver ~]# net conf setparm global "client min protocol" smb2_02 > [root@ipaserver ~]# net conf setparm global "client max protocol" smb2_02 > [root@ipaserver ~]# service winbind restart > > Shutting down Winbind services:[ OK ] > Starting Winbind services: [ OK ] > > [root@ipaserver ~]# wbinfo -n 'ADDOMAIN\Domain Admins' > failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND > Could not lookup name ADDOMAIN\Domain Admins > > [root@ipaserver ~]# wbinfo -u > [root@ipaserver ~]# > > The issue is reproducible every time if anyone follows the steps as I have > done. > It would be nice if you can send a second round of log files. Please stop winbind, remove all *winbind* and *wb* log files in /var/log/samba, make sure 'log level' is 10 or higher, start winbind, call 'wbinfo -n 'ADDOMAIN\Domain Admins', stop winbind, put all *winbind* and *wb* log files in a tar/zip archive and send the archive. If you think the archive is too large for a mailing-list fell free to send them to me directly. bye, Sumit > > On Mon, May 19, 2014 at 4:45 PM, Sumit Bose wrote: > > > On Mon, May 19, 2014 at 04:29:24PM +0530, Supratik Goswami wrote: > > > Hi > > > > > > Let me start from the beginning once again. Let me explain you what > > steps I > > > followed during the setup. > > > > > > I am setting up the environment in Amazon AWS, both Windows AD server and > > > Linux IPA configured in EC2. > > > For configuring Windows 2008 I selected > > > Windows_Server-2008-R2_SP1-English-64Bit-Base-2014.04.09 (ami-df8e93b6) > > > and for configuring IPA server I selected CentOS 6.5 (x86_64) - Release > > > Media (ami-8997afe0). > > > > > > I followed the steps from > > > http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup and also kept the > > > domain names > > > similar as in the example. > > > > > > IPA server hostname: ipaserver > > > IPA domain: ipadomain.example.com > > > IPA NetBIOS: IPADOMAIN > > > > > > AD DC hostname: adserver > > > AD domain: addomain.example.com > > > AD NetBIOS: ADDOMAIN > > > > > > > > > 1. Updated the system and install the packages. > > > > > > # yum update -y > > > # yum install -y "*ipa-server" "*ipa-server-trust-ad" > > > samba4-winbind-clients samba4-winbind samba4-client bind bind-dyndb-ldap > > > > > > List of important packages installed during the update are as follows. > > > > > > bindx86_64 32:9.8.2-0.23.rc1.el6_5.1 > > > bind-dyndb-ldap x86_64 2.3-5.el6 > > > > > > ipa-server x86_64 3.0.0-37.el6 > > > ipa-server-trust-ad x86_64 3.0.0-37.el6 > > > ipa-admintools x86_64 3.0.0-37.el6 > > > ipa-client x86_64 3.0.0-37.el6 > > > ipa-pki-ca-themenoarch 9.0.3-7.el6 > > > ipa-pki-common-themenoarch 9.0.3-7.el6 > > > ipa-python x86_64 3.0.0-37.el6 > > > ipa-server-selinux x86_64 3.0.0-37.el6 > > > > > > samba4-client x86_64 4.0.0-61.el6_5.rc4 > > > samba4-winbind x86_64 4.0.0-61.el6_5.rc4 > > > samba4-winbind-clients x86_64 4.0.0-61.el6_5.rc4 > > > samba4 x86_64 4.0.0-61.el6_5.rc4 > > > samba4-common x86_64 4.0.0-61.el6_5.rc4 > > > samba4-libs x86_64 4.0.0-61.el6_5.rc4 > > > samba4-python x86_64 4.0.0-61.el6_5.rc4 > > > > ah, sorry, I this might be a known issue, but I got on a wrong track > > because I thought it was working initially and only failed after reboot. > > > > Please try to set "client min protocol" and "client max protocol" in the > > samba configuration: > > > > net conf setparm global "client min protocol" smb2_02 > > net conf setparm global "client max protocol" smb2_02 > > > > restart winbind and try again. > > > > HTH > > > > bye, > > Sumit > > > > > > > > 389-ds-base x86_64 1.2.11.15-32.el6_5 > > > 389-ds-base-libsx86_64 1.2.11.15-32.el6_5 > > > > > > certmonger x86_64 0.61-3.el6 > > > > > > krb5-server x86_64 1.10.3-15.el6_5.1 > > > krb5-workstationx86_64 1.10.3-15.el6_5.1 > > > > > > sssdx86_64 1.9.2-129.el6_5.4 > > > sssd-client x86_64 1.9.2-129.el6_5.4 > > > > > > > > > > > > > > > -- > Warm Regards > > Supratik ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD trust showing offline after reboot
Initially after configuring the setup I rebooted once and I was thinking that it worked before the reboot but unfortunately it didn't work the first time itself. Still failing after running the commands. [root@ipaserver ~]# net conf setparm global "client min protocol" smb2_02 [root@ipaserver ~]# net conf setparm global "client max protocol" smb2_02 [root@ipaserver ~]# service winbind restart Shutting down Winbind services:[ OK ] Starting Winbind services: [ OK ] [root@ipaserver ~]# wbinfo -n 'ADDOMAIN\Domain Admins' failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND Could not lookup name ADDOMAIN\Domain Admins [root@ipaserver ~]# wbinfo -u [root@ipaserver ~]# The issue is reproducible every time if anyone follows the steps as I have done. On Mon, May 19, 2014 at 4:45 PM, Sumit Bose wrote: > On Mon, May 19, 2014 at 04:29:24PM +0530, Supratik Goswami wrote: > > Hi > > > > Let me start from the beginning once again. Let me explain you what > steps I > > followed during the setup. > > > > I am setting up the environment in Amazon AWS, both Windows AD server and > > Linux IPA configured in EC2. > > For configuring Windows 2008 I selected > > Windows_Server-2008-R2_SP1-English-64Bit-Base-2014.04.09 (ami-df8e93b6) > > and for configuring IPA server I selected CentOS 6.5 (x86_64) - Release > > Media (ami-8997afe0). > > > > I followed the steps from > > http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup and also kept the > > domain names > > similar as in the example. > > > > IPA server hostname: ipaserver > > IPA domain: ipadomain.example.com > > IPA NetBIOS: IPADOMAIN > > > > AD DC hostname: adserver > > AD domain: addomain.example.com > > AD NetBIOS: ADDOMAIN > > > > > > 1. Updated the system and install the packages. > > > > # yum update -y > > # yum install -y "*ipa-server" "*ipa-server-trust-ad" > > samba4-winbind-clients samba4-winbind samba4-client bind bind-dyndb-ldap > > > > List of important packages installed during the update are as follows. > > > > bindx86_64 32:9.8.2-0.23.rc1.el6_5.1 > > bind-dyndb-ldap x86_64 2.3-5.el6 > > > > ipa-server x86_64 3.0.0-37.el6 > > ipa-server-trust-ad x86_64 3.0.0-37.el6 > > ipa-admintools x86_64 3.0.0-37.el6 > > ipa-client x86_64 3.0.0-37.el6 > > ipa-pki-ca-themenoarch 9.0.3-7.el6 > > ipa-pki-common-themenoarch 9.0.3-7.el6 > > ipa-python x86_64 3.0.0-37.el6 > > ipa-server-selinux x86_64 3.0.0-37.el6 > > > > samba4-client x86_64 4.0.0-61.el6_5.rc4 > > samba4-winbind x86_64 4.0.0-61.el6_5.rc4 > > samba4-winbind-clients x86_64 4.0.0-61.el6_5.rc4 > > samba4 x86_64 4.0.0-61.el6_5.rc4 > > samba4-common x86_64 4.0.0-61.el6_5.rc4 > > samba4-libs x86_64 4.0.0-61.el6_5.rc4 > > samba4-python x86_64 4.0.0-61.el6_5.rc4 > > ah, sorry, I this might be a known issue, but I got on a wrong track > because I thought it was working initially and only failed after reboot. > > Please try to set "client min protocol" and "client max protocol" in the > samba configuration: > > net conf setparm global "client min protocol" smb2_02 > net conf setparm global "client max protocol" smb2_02 > > restart winbind and try again. > > HTH > > bye, > Sumit > > > > > 389-ds-base x86_64 1.2.11.15-32.el6_5 > > 389-ds-base-libsx86_64 1.2.11.15-32.el6_5 > > > > certmonger x86_64 0.61-3.el6 > > > > krb5-server x86_64 1.10.3-15.el6_5.1 > > krb5-workstationx86_64 1.10.3-15.el6_5.1 > > > > sssdx86_64 1.9.2-129.el6_5.4 > > sssd-client x86_64 1.9.2-129.el6_5.4 > > > > > > > -- Warm Regards Supratik ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD trust showing offline after reboot
On Mon, May 19, 2014 at 04:29:24PM +0530, Supratik Goswami wrote: > Hi > > Let me start from the beginning once again. Let me explain you what steps I > followed during the setup. > > I am setting up the environment in Amazon AWS, both Windows AD server and > Linux IPA configured in EC2. > For configuring Windows 2008 I selected > Windows_Server-2008-R2_SP1-English-64Bit-Base-2014.04.09 (ami-df8e93b6) > and for configuring IPA server I selected CentOS 6.5 (x86_64) - Release > Media (ami-8997afe0). > > I followed the steps from > http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup and also kept the > domain names > similar as in the example. > > IPA server hostname: ipaserver > IPA domain: ipadomain.example.com > IPA NetBIOS: IPADOMAIN > > AD DC hostname: adserver > AD domain: addomain.example.com > AD NetBIOS: ADDOMAIN > > > 1. Updated the system and install the packages. > > # yum update -y > # yum install -y "*ipa-server" "*ipa-server-trust-ad" > samba4-winbind-clients samba4-winbind samba4-client bind bind-dyndb-ldap > > List of important packages installed during the update are as follows. > > bindx86_64 32:9.8.2-0.23.rc1.el6_5.1 > bind-dyndb-ldap x86_64 2.3-5.el6 > > ipa-server x86_64 3.0.0-37.el6 > ipa-server-trust-ad x86_64 3.0.0-37.el6 > ipa-admintools x86_64 3.0.0-37.el6 > ipa-client x86_64 3.0.0-37.el6 > ipa-pki-ca-themenoarch 9.0.3-7.el6 > ipa-pki-common-themenoarch 9.0.3-7.el6 > ipa-python x86_64 3.0.0-37.el6 > ipa-server-selinux x86_64 3.0.0-37.el6 > > samba4-client x86_64 4.0.0-61.el6_5.rc4 > samba4-winbind x86_64 4.0.0-61.el6_5.rc4 > samba4-winbind-clients x86_64 4.0.0-61.el6_5.rc4 > samba4 x86_64 4.0.0-61.el6_5.rc4 > samba4-common x86_64 4.0.0-61.el6_5.rc4 > samba4-libs x86_64 4.0.0-61.el6_5.rc4 > samba4-python x86_64 4.0.0-61.el6_5.rc4 ah, sorry, I this might be a known issue, but I got on a wrong track because I thought it was working initially and only failed after reboot. Please try to set "client min protocol" and "client max protocol" in the samba configuration: net conf setparm global "client min protocol" smb2_02 net conf setparm global "client max protocol" smb2_02 restart winbind and try again. HTH bye, Sumit > > 389-ds-base x86_64 1.2.11.15-32.el6_5 > 389-ds-base-libsx86_64 1.2.11.15-32.el6_5 > > certmonger x86_64 0.61-3.el6 > > krb5-server x86_64 1.10.3-15.el6_5.1 > krb5-workstationx86_64 1.10.3-15.el6_5.1 > > sssdx86_64 1.9.2-129.el6_5.4 > sssd-client x86_64 1.9.2-129.el6_5.4 > > > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD trust showing offline after reboot
Hi Let me start from the beginning once again. Let me explain you what steps I followed during the setup. I am setting up the environment in Amazon AWS, both Windows AD server and Linux IPA configured in EC2. For configuring Windows 2008 I selected Windows_Server-2008-R2_SP1-English-64Bit-Base-2014.04.09 (ami-df8e93b6) and for configuring IPA server I selected CentOS 6.5 (x86_64) - Release Media (ami-8997afe0). I followed the steps from http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup and also kept the domain names similar as in the example. IPA server hostname: ipaserver IPA domain: ipadomain.example.com IPA NetBIOS: IPADOMAIN AD DC hostname: adserver AD domain: addomain.example.com AD NetBIOS: ADDOMAIN 1. Updated the system and install the packages. # yum update -y # yum install -y "*ipa-server" "*ipa-server-trust-ad" samba4-winbind-clients samba4-winbind samba4-client bind bind-dyndb-ldap List of important packages installed during the update are as follows. bindx86_64 32:9.8.2-0.23.rc1.el6_5.1 bind-dyndb-ldap x86_64 2.3-5.el6 ipa-server x86_64 3.0.0-37.el6 ipa-server-trust-ad x86_64 3.0.0-37.el6 ipa-admintools x86_64 3.0.0-37.el6 ipa-client x86_64 3.0.0-37.el6 ipa-pki-ca-themenoarch 9.0.3-7.el6 ipa-pki-common-themenoarch 9.0.3-7.el6 ipa-python x86_64 3.0.0-37.el6 ipa-server-selinux x86_64 3.0.0-37.el6 samba4-client x86_64 4.0.0-61.el6_5.rc4 samba4-winbind x86_64 4.0.0-61.el6_5.rc4 samba4-winbind-clients x86_64 4.0.0-61.el6_5.rc4 samba4 x86_64 4.0.0-61.el6_5.rc4 samba4-common x86_64 4.0.0-61.el6_5.rc4 samba4-libs x86_64 4.0.0-61.el6_5.rc4 samba4-python x86_64 4.0.0-61.el6_5.rc4 389-ds-base x86_64 1.2.11.15-32.el6_5 389-ds-base-libsx86_64 1.2.11.15-32.el6_5 certmonger x86_64 0.61-3.el6 krb5-server x86_64 1.10.3-15.el6_5.1 krb5-workstationx86_64 1.10.3-15.el6_5.1 sssdx86_64 1.9.2-129.el6_5.4 sssd-client x86_64 1.9.2-129.el6_5.4 2. System details [root@ipaserver ~]# hostname ipaserver.ipadomain.example.com [root@ipaserver ~]# cat /etc/issue CentOS release 6.5 (Final) Kernel \r on an \m [root@ipaserver ~]# uname -a Linux ipaserver.ipadomain.example.com 2.6.32-431.17.1.el6.x86_64 #1 SMP Wed May 7 23:32:49 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux [root@ipaserver ~]# cat /etc/hosts 127.0.0.1 localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6 10.21.0.121 ipaserver.ipadomain.example.com ipaserver 3. Install IPA server [root@ipaserver ~]# ipa-server-install --domain=ipadomain.example.com--realm= IPADOMAIN.EXAMPLE.COM --setup-dns --no-forwarders The IPA Master Server will be configured with: Hostname: ipaserver.ipadomain.example.com IP address:10.21.0.121 Domain name: ipadomain.example.com Realm name:IPADOMAIN.EXAMPLE.COM BIND DNS server will be configured to serve IPA domain with: Forwarders:No forwarders Reverse zone: 0.21.10.in-addr.arpa. ... ... The install was successful and no errors during the installation. 4. Login as admin and verify IPA users are available to the system service [root@ipaserver ~]# kinit admin Password for ad...@ipadomain.example.com: [root@ipaserver ~]# id admin uid=18960(admin) gid=18960(admins) groups=18960(admins) [root@ipaserver ~]# getent passwd admin admin:*:18960:18960:Administrator:/home/admin:/bin/bash 5. Configure IPA server for cross-realm trust. [root@ipaserver ~]# ipa-adtrust-install --netbios-name=IPADOMAIN The log file for this installation can be found in /var/log/ipaserver-install.log == This program will setup components needed to establish trust to AD domains for the FreeIPA Server. This includes: * Configure Samba * Add trust related objects to FreeIPA LDAP server ... ... All completed successfully. 6. I disabled the firewalls and also during the boot up. [root@ipaserver ~]# chkconfig --list iptables iptables 0:off 1:off 2:off 3:off 4:off 5:off 6:off 7. DNS configuration On windows: C:\Windows\system32>dnscmd 127.0.0.1 /ZoneAdd ipadomain.example.com/Forwarder 10.21.0.121 DNS Server 127.0.0.1 created zone ipadomain.example.com: Command completed successfully. On Linux: [root@ipaserver ~]# ipa dnszone-add addomain.example.com --name-server= adserver.addomain.example.com --admin-email='hostmas...@addomain.example.com' --force --forwarder=10.21.0.231 --forward-policy=only --ip-address=10.21.0.231 Zone name: addomain.example.com Authoritative nameserver: adserver.addomain.example.com Administrator e-mail address: hostmaster.addomain.example.com. SOA serial: 1400486308 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA mini
Re: [Freeipa-users] AD trust showing offline after reboot
The IP 10.255.0.4 belongs to the Windows 2008 R2 system running AD DC. I disabled the firewall but still the problem is there :-( On Fri, May 16, 2014 at 7:14 PM, Sumit Bose wrote: > On Fri, May 16, 2014 at 04:29:33PM +0530, Supratik Goswami wrote: > > Yes DNS is working fine and is able to return the IP address of the AD > > server. > > > > [root@master samba]# dig SRV _ldap._tcp.ad.idm.example.com > > > > ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> SRV _ldap._ > > tcp.ad.idm.example.com > > ;; global options: +cmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29147 > > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 > > > > ;; QUESTION SECTION: > > ;_ldap._tcp.ad.idm.example.com. IN SRV > > > > ;; ANSWER SECTION: > > _ldap._tcp.ad.idm.example.com. 600 IN SRV 0 100 389 > > master.ad.idm.example.com. > > > > ;; ADDITIONAL SECTION: > > master.ad.idm.example.com. 3600 IN A 10.255.0.4 > > > > ;; Query time: 1 msec > > ;; SERVER: 10.255.0.4#53(10.255.0.4) > > ;; WHEN: Fri May 16 10:46:23 2014 > > ;; MSG SIZE rcvd: 106 > > > > > > > > In my case AD is the netbios name of the AD domain. Please find the log > > message from the file log.wb-AD. > > > > > > ... > > > [2014/05/16 10:50:37.542420, 5, pid=3305, effective(0, 0), real(0, 0)] > > [2014/05/16 10:50:44.451669, 3, pid=3305, effective(0, 0), real(0, 0)] > > ../source3/lib/util_sock.c:585(open_socket_out_send) > > Connecting to 10.255.0.4 at port 445 > > [2014/05/16 10:50:44.452793, 3, pid=3305, effective(0, 0), real(0, 0)] > > ../source3/libsmb/clidgram.c:333(nbt_getdc_send) > > No nmbd found > > [2014/05/16 10:50:44.452930, 10, pid=3305, effective(0, 0), real(0, 0)] > > ../source3/libsmb/namequery.c:916(name_status_find) > > name_status_find: looking up AD#1c at 10.255.0.4 > > [2014/05/16 10:50:44.453044, 5, pid=3305, effective(0, 0), real(0, 0)] > > ../source3/libsmb/namecache.c:299(namecache_status_fetch) > > namecache_status_fetch: no entry for NBT/AD#1C.20.10.255.0.4 found. > > [2014/05/16 10:50:44.453279, 10, pid=3305, effective(0, 0), real(0, 0)] > > ../source3/lib/util_sock.c:499(open_socket_in) > > bind succeeded on port 0 > > [2014/05/16 10:50:44.453449, 10, pid=3305, effective(0, 0), real(0, 0)] > > ../source3/libsmb/unexpected.c:546(nb_packet_reader_connected) > > async_connect failed: No such file or directory > > [2014/05/16 10:50:44.453564, 10, pid=3305, effective(0, 0), real(0, 0)] > > ../source3/libsmb/namequery.c:600(nb_trans_got_reader) > > nmbd not around > > [2014/05/16 10:50:45.454766, 10, pid=3305, effective(0, 0), real(0, 0)] > > ../source3/lib/events.c:216(run_events_poll) > > Running timed event "tevent_req_timedout" 0x1750470 > > [2014/05/16 10:50:46.456103, 10, pid=3305, effective(0, 0), real(0, 0)] > > ../source3/lib/events.c:216(run_events_poll) > > Running timed event "tevent_req_timedout" 0x1750470 > > [2014/05/16 10:50:47.457451, 10, pid=3305, effective(0, 0), real(0, 0)] > > ../source3/lib/events.c:216(run_events_poll) > > Running timed event "tevent_req_timedout" 0x1750470 > > [2014/05/16 10:50:48.458773, 10, pid=3305, effective(0, 0), real(0, 0)] > > ../source3/lib/events.c:216(run_events_poll) > > Running timed event "tevent_req_timedout" 0x1750470 > > [2014/05/16 10:50:49.460093, 10, pid=3305, effective(0, 0), real(0, 0)] > > ../source3/lib/events.c:216(run_events_poll) > > Running timed event "tevent_req_timedout" 0x1750470 > > [2014/05/16 10:50:50.461420, 10, pid=3305, effective(0, 0), real(0, 0)] > > ../source3/lib/events.c:216(run_events_poll) > > Running timed event "tevent_req_timedout" 0x1750470 > > [2014/05/16 10:50:51.462723, 10, pid=3305, effective(0, 0), real(0, 0)] > > ../source3/lib/events.c:216(run_events_poll) > > Running timed event "tevent_req_timedout" 0x1750470 > > [2014/05/16 10:50:52.464265, 10, pid=3305, effective(0, 0), real(0, 0)] > > ../source3/lib/events.c:216(run_events_poll) > > Running timed event "tevent_req_timedout" 0x1750470 > > [2014/05/16 10:50:53.465546, 10, pid=3305, effective(0, 0), real(0, 0)] > > ../source3/lib/events.c:216(run_events_poll) > > Running timed event "tevent_req_timedout" 0x1750470 > > [2014/05/16 10:50:54.455168, 10, pid=3305, effective(0, 0), real(0, 0)] > > ../source3/lib/events.c:216(run_events_poll) > > Running timed event "tevent_req_timedout" 0x1750590 > > [2014/05/16 10:50:54.455385, 10, pid=3305, effective(0, 0), real(0, 0)] > > ../source3/libsmb/namequery.c:962(name_status_find) > > name_status_find: name not found > > [2014/05/16 10:50:54.455497, 10, pid=3305, effective(0, 0), real(0, 0), > > class=tdb] ../source3/lib/gencache.c:179(gencache_set_data_blob) > > Adding cache entry with key = NEG_CONN_CACHE/AD,10.255.0.4 and timeout > = > > Fri May 16 10:51:54 2014 > >(60 seconds ahead) > > [2014/05/16 10:50:54.455739, 9, pid=3305, effective(0, 0), real(0, 0)] > > ../source3/libsmb/conncache.c:189(add_failed_connection_entry) > > add_failed_co
Re: [Freeipa-users] AD trust showing offline after reboot
On Fri, May 16, 2014 at 04:29:33PM +0530, Supratik Goswami wrote: > Yes DNS is working fine and is able to return the IP address of the AD > server. > > [root@master samba]# dig SRV _ldap._tcp.ad.idm.example.com > > ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> SRV _ldap._ > tcp.ad.idm.example.com > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29147 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 > > ;; QUESTION SECTION: > ;_ldap._tcp.ad.idm.example.com. IN SRV > > ;; ANSWER SECTION: > _ldap._tcp.ad.idm.example.com. 600 IN SRV 0 100 389 > master.ad.idm.example.com. > > ;; ADDITIONAL SECTION: > master.ad.idm.example.com. 3600 IN A 10.255.0.4 > > ;; Query time: 1 msec > ;; SERVER: 10.255.0.4#53(10.255.0.4) > ;; WHEN: Fri May 16 10:46:23 2014 > ;; MSG SIZE rcvd: 106 > > > > In my case AD is the netbios name of the AD domain. Please find the log > message from the file log.wb-AD. > > ... > [2014/05/16 10:50:37.542420, 5, pid=3305, effective(0, 0), real(0, 0)] > [2014/05/16 10:50:44.451669, 3, pid=3305, effective(0, 0), real(0, 0)] > ../source3/lib/util_sock.c:585(open_socket_out_send) > Connecting to 10.255.0.4 at port 445 > [2014/05/16 10:50:44.452793, 3, pid=3305, effective(0, 0), real(0, 0)] > ../source3/libsmb/clidgram.c:333(nbt_getdc_send) > No nmbd found > [2014/05/16 10:50:44.452930, 10, pid=3305, effective(0, 0), real(0, 0)] > ../source3/libsmb/namequery.c:916(name_status_find) > name_status_find: looking up AD#1c at 10.255.0.4 > [2014/05/16 10:50:44.453044, 5, pid=3305, effective(0, 0), real(0, 0)] > ../source3/libsmb/namecache.c:299(namecache_status_fetch) > namecache_status_fetch: no entry for NBT/AD#1C.20.10.255.0.4 found. > [2014/05/16 10:50:44.453279, 10, pid=3305, effective(0, 0), real(0, 0)] > ../source3/lib/util_sock.c:499(open_socket_in) > bind succeeded on port 0 > [2014/05/16 10:50:44.453449, 10, pid=3305, effective(0, 0), real(0, 0)] > ../source3/libsmb/unexpected.c:546(nb_packet_reader_connected) > async_connect failed: No such file or directory > [2014/05/16 10:50:44.453564, 10, pid=3305, effective(0, 0), real(0, 0)] > ../source3/libsmb/namequery.c:600(nb_trans_got_reader) > nmbd not around > [2014/05/16 10:50:45.454766, 10, pid=3305, effective(0, 0), real(0, 0)] > ../source3/lib/events.c:216(run_events_poll) > Running timed event "tevent_req_timedout" 0x1750470 > [2014/05/16 10:50:46.456103, 10, pid=3305, effective(0, 0), real(0, 0)] > ../source3/lib/events.c:216(run_events_poll) > Running timed event "tevent_req_timedout" 0x1750470 > [2014/05/16 10:50:47.457451, 10, pid=3305, effective(0, 0), real(0, 0)] > ../source3/lib/events.c:216(run_events_poll) > Running timed event "tevent_req_timedout" 0x1750470 > [2014/05/16 10:50:48.458773, 10, pid=3305, effective(0, 0), real(0, 0)] > ../source3/lib/events.c:216(run_events_poll) > Running timed event "tevent_req_timedout" 0x1750470 > [2014/05/16 10:50:49.460093, 10, pid=3305, effective(0, 0), real(0, 0)] > ../source3/lib/events.c:216(run_events_poll) > Running timed event "tevent_req_timedout" 0x1750470 > [2014/05/16 10:50:50.461420, 10, pid=3305, effective(0, 0), real(0, 0)] > ../source3/lib/events.c:216(run_events_poll) > Running timed event "tevent_req_timedout" 0x1750470 > [2014/05/16 10:50:51.462723, 10, pid=3305, effective(0, 0), real(0, 0)] > ../source3/lib/events.c:216(run_events_poll) > Running timed event "tevent_req_timedout" 0x1750470 > [2014/05/16 10:50:52.464265, 10, pid=3305, effective(0, 0), real(0, 0)] > ../source3/lib/events.c:216(run_events_poll) > Running timed event "tevent_req_timedout" 0x1750470 > [2014/05/16 10:50:53.465546, 10, pid=3305, effective(0, 0), real(0, 0)] > ../source3/lib/events.c:216(run_events_poll) > Running timed event "tevent_req_timedout" 0x1750470 > [2014/05/16 10:50:54.455168, 10, pid=3305, effective(0, 0), real(0, 0)] > ../source3/lib/events.c:216(run_events_poll) > Running timed event "tevent_req_timedout" 0x1750590 > [2014/05/16 10:50:54.455385, 10, pid=3305, effective(0, 0), real(0, 0)] > ../source3/libsmb/namequery.c:962(name_status_find) > name_status_find: name not found > [2014/05/16 10:50:54.455497, 10, pid=3305, effective(0, 0), real(0, 0), > class=tdb] ../source3/lib/gencache.c:179(gencache_set_data_blob) > Adding cache entry with key = NEG_CONN_CACHE/AD,10.255.0.4 and timeout = > Fri May 16 10:51:54 2014 >(60 seconds ahead) > [2014/05/16 10:50:54.455739, 9, pid=3305, effective(0, 0), real(0, 0)] > ../source3/libsmb/conncache.c:189(add_failed_connection_entry) > add_failed_connection_entry: added domain AD (10.255.0.4) to failed conn > cache > class=tdb] ../source3/lib/gencache.c:246(gencache_del) > Deleting cache entry (key = SAFJOIN/DOMAIN/AD) > [2014/05/16 10:50:54.455967, 10, pid=3305, effective(0, 0), real(0, 0), > class=tdb] ../source3/lib/gencache.c:246(gencache_del) > Deleting cache entry (key = SAF/DOMAIN/AD) > [2014/05/16 10:50
Re: [Freeipa-users] AD trust showing offline after reboot
On Thu, May 15, 2014 at 11:57:46PM +0530, Supratik Goswami wrote: > > > > Does ipa trust-find and trust-show still show the trust relationship? > > > > Yes, it is listing the AD domain. > > After setting the debug level to 10 I got the below message after running > the command "wbinfo -n 'AD\Domain Admins' " > The log.wb-DOMAIN is needed here to identify why winbindd is not able to reach the DC. Have you checked if DNS is still working and can resolve SRV records for the AD domain, e.g. dig SRV _ldap._tcp.AD.DNS.DOMAIN should return IP addresses for your DCs. bye, Sumit > > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD trust showing offline after reboot
> > Does ipa trust-find and trust-show still show the trust relationship? > Yes, it is listing the AD domain. After setting the debug level to 10 I got the below message after running the command "wbinfo -n 'AD\Domain Admins' " ==> /var/log/samba/log.winbindd <== [2014/05/15 18:23:42.437167, 6, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:827(new_connection) accepted socket 20 [2014/05/15 18:23:42.437556, 10, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:677(process_request) process_request: request fn INTERFACE_VERSION [2014/05/15 18:23:42.437667, 3, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_misc.c:393(winbindd_interface_version) [ 2591]: request interface version [2014/05/15 18:23:42.437816, 10, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:773(winbind_client_response_written) winbind_client_response_written[2591:INTERFACE_VERSION]: delivered response to client [2014/05/15 18:23:42.438223, 10, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:677(process_request) process_request: request fn WINBINDD_PRIV_PIPE_DIR [2014/05/15 18:23:42.438352, 3, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_misc.c:426(winbindd_priv_pipe_dir) [ 2591]: request location of privileged pipe [2014/05/15 18:23:42.438486, 10, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:773(winbind_client_response_written) winbind_client_response_written[2591:WINBINDD_PRIV_PIPE_DIR]: delivered response to client [2014/05/15 18:23:42.438954, 6, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:827(new_connection) accepted socket 22 [2014/05/15 18:23:42.439261, 6, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:875(winbind_client_request_read) closing socket 20, client exited [2014/05/15 18:23:42.439576, 10, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:677(process_request) process_request: request fn INTERFACE_VERSION [2014/05/15 18:23:42.439912, 3, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_misc.c:393(winbindd_interface_version) [ 2591]: request interface version [2014/05/15 18:23:42.440177, 10, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:773(winbind_client_response_written) winbind_client_response_written[2591:INTERFACE_VERSION]: delivered response to client [2014/05/15 18:23:42.500902, 10, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:677(process_request) process_request: request fn INFO [2014/05/15 18:23:42.501152, 3, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_misc.c:381(winbindd_info) [ 2591]: request misc info [2014/05/15 18:23:42.501397, 10, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:773(winbind_client_response_written) winbind_client_response_written[2591:INFO]: delivered response to client [2014/05/15 18:23:42.501707, 10, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:677(process_request) process_request: request fn NETBIOS_NAME [2014/05/15 18:23:42.502077, 3, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_misc.c:414(winbindd_netbios_name) [ 2591]: request netbios name [2014/05/15 18:23:42.502323, 10, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:773(winbind_client_response_written) winbind_client_response_written[2591:NETBIOS_NAME]: delivered response to client [2014/05/15 18:23:42.502619, 10, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:677(process_request) process_request: request fn DOMAIN_NAME [2014/05/15 18:23:42.502990, 3, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_misc.c:403(winbindd_domain_name) [ 2591]: request domain name [2014/05/15 18:23:42.503243, 10, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:773(winbind_client_response_written) winbind_client_response_written[2591:DOMAIN_NAME]: delivered response to client [2014/05/15 18:23:42.503545, 10, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:677(process_request) process_request: request fn DOMAIN_INFO [2014/05/15 18:23:42.503884, 3, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_misc.c:235(winbindd_domain_info) [ 2591]: domain_info [IPA] [2014/05/15 18:23:42.504237, 10, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:773(winbind_client_response_written) winbind_client_response_written[2591:DOMAIN_INFO]: de
Re: [Freeipa-users] AD trust showing offline after reboot
On Thu, May 15, 2014 at 02:40:57PM +0530, Supratik Goswami wrote: > Also, when I am running " wbinfo -n 'AD\Domain Admins' " I am getting the > below error. > > [root@master packages]# wbinfo -n 'AD\Domain Admins' > failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND > Could not lookup name AD\Domain Admins Does ipa trust-find and trust-show still show the trust relationship? The next step I'd try is getting some more debug information from winbind. Set: "smbcontrol winbindd debug 10" Then check out the samba logs at /var/log/samba/* ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD trust showing offline after reboot
Also, when I am running " wbinfo -n 'AD\Domain Admins' " I am getting the below error. [root@master packages]# wbinfo -n 'AD\Domain Admins' failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND Could not lookup name AD\Domain Admins On Thu, May 15, 2014 at 1:28 PM, Supratik Goswami wrote: > "ipactls status" shows all in running state. > > [root@master packages]# ipactl status > Directory Service: RUNNING > KDC Service: RUNNING > KPASSWD Service: RUNNING > DNS Service: RUNNING > MEMCACHE Service: RUNNING > HTTP Service: RUNNING > CA Service: RUNNING > ADTRUST Service: RUNNING > EXTID Service: RUNNING > > "ipa user-show" also shows the user > > [root@master packages]# ipa user-show > User login: admin > User login: admin > Last name: Administrator > Home directory: /home/admin > Login shell: /bin/bash > UID: 60260 > GID: 60260 > Account disabled: False > Password: True > Member of groups: admins, trust admins > Kerberos keys available: True > > I am using IPA version 3.0.0. > > > > > On Thu, May 15, 2014 at 1:14 PM, Jakub Hrozek wrote: > >> On Thu, May 15, 2014 at 12:51:13PM +0530, Supratik Goswami wrote: >> > Hi >> > >> > I followed the instructions mentioned in >> > http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup to configure AD >> > trust with IPA server. >> > >> > I successfully established the trust and also able to list all AD users >> but >> > after I >> > rebooted the system "wbinfo --onlie-status" returns offline for AD >> domain >> > and >> > "wbinfo -u" also not returning anything. >> > >> > Is there anything I need to change to make it work across reboots? >> >> Did IPA start at all according to the ipactl status? Are you able to to >> see native IPA users with "ipa user-show" ? >> >> What is the IPA version you are using? >> >> ___ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > > -- > Warm Regards > > Supratik > -- Warm Regards Supratik ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD trust showing offline after reboot
On Thu, May 15, 2014 at 12:51:13PM +0530, Supratik Goswami wrote: > Hi > > I followed the instructions mentioned in > http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup to configure AD > trust with IPA server. > > I successfully established the trust and also able to list all AD users but > after I > rebooted the system "wbinfo --onlie-status" returns offline for AD domain > and > "wbinfo -u" also not returning anything. > > Is there anything I need to change to make it work across reboots? Did IPA start at all according to the ipactl status? Are you able to to see native IPA users with "ipa user-show" ? What is the IPA version you are using? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] AD trust showing offline after reboot
Hi I followed the instructions mentioned in http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup to configure AD trust with IPA server. I successfully established the trust and also able to list all AD users but after I rebooted the system "wbinfo --onlie-status" returns offline for AD domain and "wbinfo -u" also not returning anything. Is there anything I need to change to make it work across reboots? -- Warm Regards Supratik ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users