Re: [Freeipa-users] Can't establish trust with 2008 AD
On Fri, 10 Jun 2016, pgb205 wrote: Alexander, here you go. One thing that came to mind that might the a problem. My Active directory is adserver.addomain.comwhile IPA is ipax1.ipadomain; there is no suffix. Not sure if that would matter. Anyway here is the log as requested. So here is what we see: ads_try_connect: sending CLDAP request to 172.19.1.10 (realm: (null)) ads_cldap_netlogon: did not get a reply ads_try_connect: CLDAP request 172.19.1.10 failed. You have real connectivity issues -- CLDAP is UDP port 389. Check your firewall. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Can't establish trust with 2008 AD
lve_name: looking up IPADOMAIN#1c (sitename (null))no entry for IPADOMAIN#1C found.resolve_lmhosts: Attempting lmhosts lookup for name IPADOMAIN<0x1c>resolve_lmhosts: Attempting lmhosts lookup for name IPADOMAIN<0x1c>getlmhostsent: lmhost entry: 127.0.0.1 localhostresolve_wins: WINS server resolution selected and no WINS servers listed.resolve_hosts: not appropriate for name type <0x1c>name_resolve_bcast: Attempting broadcast lookup for name IPADOMAIN<0x1c>tstream_unix_connect failed: No such file or directorynmbd not aroundAdding 0 DC's from auto lookupget_dc_list: no servers foundads_connect: No logon serverssitename_fetch: No stored sitename for IPADOMAINinternal_resolve_name: looking up dc.addomain.com#20 (sitename (null))name dc.addomain.com#20 found.remove_duplicate_addrs2: looking for duplicate address/port pairsads_try_connect: sending CLDAP request to 172.19.1.10 (realm: (null))ads_cldap_netlogon: did not get a replyads_try_connect: CLDAP request 172.19.1.10 failed.sitename_fetch: No stored sitename for IPADOMAINads_find_dc: (cldap) looking for domain 'IPADOMAIN'get_sorted_dc_list: attempting lookup for name IPADOMAIN (sitename NULL)saf_fetch: failed to find server for "IPADOMAIN" domainget_dc_list: preferred server list: ", *"internal_resolve_name: looking up IPADOMAIN#1c (sitename (null))no entry for IPADOMAIN#1C found.resolve_lmhosts: Attempting lmhosts lookup for name IPADOMAIN<0x1c>resolve_lmhosts: Attempting lmhosts lookup for name IPADOMAIN<0x1c>getlmhostsent: lmhost entry: 127.0.0.1 localhostresolve_wins: WINS server resolution selected and no WINS servers listed.resolve_hosts: not appropriate for name type <0x1c>name_resolve_bcast: Attempting broadcast lookup for name IPADOMAIN<0x1c>tstream_unix_connect failed: No such file or directorynmbd not aroundAdding 0 DC's from auto lookupget_dc_list: no servers foundads_connect: No logon serversDidn't find the cldap server!return code = -1 From: Alexander Bokovoy To: pgb205 Cc: "freeipa-users@redhat.com" Sent: Friday, June 10, 2016 1:58 AM Subject: Re: [Freeipa-users] Can't establish trust with 2008 AD On Fri, 10 Jun 2016, pgb205 wrote: >The trust setup still results in >Shared secret for the trust:: ERROR: CIFS server communication error: code >"None", message "NT_STATUS_IO_TIMEOUT" (both may be "None") >If you want I can provide with logs. Can you show output of net ads lookup -d 10 -S dc.addomain.com -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Can't establish trust with 2008 AD
On Fri, 10 Jun 2016, pgb205 wrote: The trust setup still results in Shared secret for the trust:: ERROR: CIFS server communication error: code "None", message "NT_STATUS_IO_TIMEOUT" (both may be "None") If you want I can provide with logs. Can you show output of net ads lookup -d 10 -S dc.addomain.com -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Can't establish trust with 2008 AD
Sorry about replying privately. dig provides ipv4 addresses as expected. For example : r...@ipaserver.ipadomain.com:~# dig SRV _ldap._tcp.addomain.com#this is run on the FreeIPA where idm is installed as well as integrated DNS with the addomain.com stub zone that points to #dc.addomain.com;; QUESTION SECTION: ;_ldap._tcp.addomain.com. IN SRV ;; ANSWER SECTION:_ldap._tcp.addomain.com. 86400 IN SRV 0 100 389 dc.addomain.com. ;; AUTHORITY SECTION:addomain.com. 86400 IN NS ipadomain.com But just in case I have edited /etc/gai.conf with the following label ::1/128 0label ::/0 1label 2002::/16 2label ::/96 3label :::0:0/96 4precedence ::1/128 50precedence ::/0 40precedence 2002::/16 30precedence ::/96 20precedence :::0:0/96 100 and restarted ipa and dns ipactl stop/start and rndc reload The trust setup still results in Shared secret for the trust:: ERROR: CIFS server communication error: code "None", message "NT_STATUS_IO_TIMEOUT" (both may be "None") If you want I can provide with logs. thanks for the help From: Alexander Bokovoy To: pgb205 Cc: freeipa-users@redhat.com Sent: Friday, June 10, 2016 12:14 AM Subject: Re: [Freeipa-users] Can't establish trust with 2008 AD Please don't answer directly, use mailing list. On Thu, 09 Jun 2016, pgb205 wrote: >Alexander, > >As far as I can say ipv6 is enabled in the kernel, as the tutorial >suggests, although none of the interfaces have ipv6 addresses. > >For example, > ip a | grep inet6 > inet6 ::1/128 scope host > >and >ip -6 address show > 1: lo: mtu 65536 > inet6 ::1/128 scope host > >root@:~# cat /proc/sys/net/ipv6/conf/all/disable_ipv6 >0 >root@:~# cat /proc/sys/net/ipv6/conf/default/disable_ipv6 >0 Does any of your DNS servers respond with IPv6 addresses for AD DCs? glibc DNS resolver prefers IPv6 over IPv4 in the default configuration and if that happens, without IPv6 routes it becomes unreachable. You can control how DNS resolver works with /etc/gai.conf (does not exist by default, see man page gai.conf for details) and can set IPv4 preference over IPv6 there, either globally or per host. > > > From: Alexander Bokovoy > To: pgb205 >Cc: "Freeipa-users@redhat.com" > Sent: Thursday, June 9, 2016 4:30 PM > Subject: Re: [Freeipa-users] Can't establish trust with 2008 AD > >On Thu, 09 Jun 2016, pgb205 wrote: >>The setup is:AD 2008 domain,Latest version of FreeIpa with integrated >>DNS,As the AD domain is not known to any DNS servers on the network I >>have created a stub zone in Freeipa integrated dns server >>addomain.com,and created A-record for DC.addomain.comas well as >>_ldap.tcp.addomain.com and _kerberos.udp.addomain.comand checked with >>dig that they resolve correctly, 138/139/145/389 are opened between the >>servers on both tcp and udp portsipv6 enabled on the FreeIpa server. I >>am using pre-shared secret to establish the trust >>Run:ipa trust-add --type=ad addomain.com --trust-secret >>and receive: >>ipa: ERROR: CIFS server communication error: code "None", >>message "NT_STATUS_IO_TIMEOUT" (both may be "None") >> >>I've enabled the logs as described in debugging section (I would be glad to >>forward the whole thing if needed)However, relevant error that I see is : >>finddcs: DNS SRV response 0 at ''finddcs: performing CLDAP >>query on s4_tevent: Added timed event "tevent_req_timedout": >>0x7f21302a8b10s4_tevent: Schedule immediate event "tevent_req_trigger": >>0x7f2130025090s4_tevent: Run immediate event "tevent_req_trigger": >>0x7f2130025090s4_tevent: Added timed event "tevent_req_timedout": >>0x7f213025cb90s4_tevent: Running timer event 0x7f213025cb90 >>"tevent_req_timedout"s4_tevent: Schedule immediate event >>"tevent_req_trigger": 0x7f2130045b50s4_tevent: Ending timer event >>0x7f213025cb90 "tevent_req_timedout"s4_tevent: Run immediate event >>"tevent_req_trigger": 0x7f2130045b50s4_tevent: Added timed event >>"tevent_req_timedout": 0x7f213025cb90s4_tevent: Running timer event >>0x7f213025cb90 "tevent_req_timedout"s4_tevent: Schedule immediate event >>"tevent_req_trigger": 0x7f213001d230s4_tevent: Ending timer event >>0x7f213025cb90 "tevent_req_timedout"s4_tevent: Run immediate event >>"tevent_req_trigger": 0x7f213001d230s4_tevent: Added timed event >>"tevent_req_timedout": 0x7f213025cb90s4_tevent: Running timer event >>0x7f2130
Re: [Freeipa-users] Can't establish trust with 2008 AD
Please don't answer directly, use mailing list. On Thu, 09 Jun 2016, pgb205 wrote: Alexander, As far as I can say ipv6 is enabled in the kernel, as the tutorial suggests, although none of the interfaces have ipv6 addresses. For example, ip a | grep inet6 inet6 ::1/128 scope host and ip -6 address show 1: lo: mtu 65536 inet6 ::1/128 scope host root@:~# cat /proc/sys/net/ipv6/conf/all/disable_ipv6 0 root@:~# cat /proc/sys/net/ipv6/conf/default/disable_ipv6 0 Does any of your DNS servers respond with IPv6 addresses for AD DCs? glibc DNS resolver prefers IPv6 over IPv4 in the default configuration and if that happens, without IPv6 routes it becomes unreachable. You can control how DNS resolver works with /etc/gai.conf (does not exist by default, see man page gai.conf for details) and can set IPv4 preference over IPv6 there, either globally or per host. From: Alexander Bokovoy To: pgb205 Cc: "Freeipa-users@redhat.com" Sent: Thursday, June 9, 2016 4:30 PM Subject: Re: [Freeipa-users] Can't establish trust with 2008 AD On Thu, 09 Jun 2016, pgb205 wrote: The setup is:AD 2008 domain,Latest version of FreeIpa with integrated DNS,As the AD domain is not known to any DNS servers on the network I have created a stub zone in Freeipa integrated dns server addomain.com,and created A-record for DC.addomain.comas well as _ldap.tcp.addomain.com and _kerberos.udp.addomain.comand checked with dig that they resolve correctly, 138/139/145/389 are opened between the servers on both tcp and udp portsipv6 enabled on the FreeIpa server. I am using pre-shared secret to establish the trust Run:ipa trust-add --type=ad addomain.com --trust-secret and receive: ipa: ERROR: CIFS server communication error: code "None", message "NT_STATUS_IO_TIMEOUT" (both may be "None") I've enabled the logs as described in debugging section (I would be glad to forward the whole thing if needed)However, relevant error that I see is : finddcs: DNS SRV response 0 at ''finddcs: performing CLDAP query on s4_tevent: Added timed event "tevent_req_timedout": 0x7f21302a8b10s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f2130025090s4_tevent: Run immediate event "tevent_req_trigger": 0x7f2130025090s4_tevent: Added timed event "tevent_req_timedout": 0x7f213025cb90s4_tevent: Running timer event 0x7f213025cb90 "tevent_req_timedout"s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f2130045b50s4_tevent: Ending timer event 0x7f213025cb90 "tevent_req_timedout"s4_tevent: Run immediate event "tevent_req_trigger": 0x7f2130045b50s4_tevent: Added timed event "tevent_req_timedout": 0x7f213025cb90s4_tevent: Running timer event 0x7f213025cb90 "tevent_req_timedout"s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f213001d230s4_tevent: Ending timer event 0x7f213025cb90 "tevent_req_timedout"s4_tevent: Run immediate event "tevent_req_trigger": 0x7f213001d230s4_tevent: Added timed event "tevent_req_timedout": 0x7f213025cb90s4_tevent: Running timer event 0x7f21302a8b10 "tevent_req_timedout"s4_tevent: Destroying timer event 0x7f213025cb90 "tevent_req_timedout"finddcs: No matching CLDAP server founds4_tevent: Ending timer event 0x7f21302a8b10 "tevent_req_timedout"[Thu Jun 09 20:39:38.703506 2016] [:error] [pid 2503] ipa: INFO: [jsonserver_session] admin@: trust_add(u'addomain.com', trust_type=u'ad', trust_secret=u'', all=False, raw=False, version=u'2.156'): RemoteRetrieveError Once again I would be glad to provide entire logs if needed. But would be grateful for suggestions on how to resolve the above error. Do you have IPv6 disabled? www.freeipa.org/page/Active_Directory_trust_setup#IPv6_stack_usage -- / Alexander Bokovoy -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Can't establish trust with 2008 AD
On Thu, 09 Jun 2016, pgb205 wrote: The setup is:AD 2008 domain,Latest version of FreeIpa with integrated DNS,As the AD domain is not known to any DNS servers on the network I have created a stub zone in Freeipa integrated dns server addomain.com,and created A-record for DC.addomain.comas well as _ldap.tcp.addomain.com and _kerberos.udp.addomain.comand checked with dig that they resolve correctly, 138/139/145/389 are opened between the servers on both tcp and udp portsipv6 enabled on the FreeIpa server. I am using pre-shared secret to establish the trust Run:ipa trust-add --type=ad addomain.com --trust-secret and receive: ipa: ERROR: CIFS server communication error: code "None", message "NT_STATUS_IO_TIMEOUT" (both may be "None") I've enabled the logs as described in debugging section (I would be glad to forward the whole thing if needed)However, relevant error that I see is : finddcs: DNS SRV response 0 at ''finddcs: performing CLDAP query on s4_tevent: Added timed event "tevent_req_timedout": 0x7f21302a8b10s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f2130025090s4_tevent: Run immediate event "tevent_req_trigger": 0x7f2130025090s4_tevent: Added timed event "tevent_req_timedout": 0x7f213025cb90s4_tevent: Running timer event 0x7f213025cb90 "tevent_req_timedout"s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f2130045b50s4_tevent: Ending timer event 0x7f213025cb90 "tevent_req_timedout"s4_tevent: Run immediate event "tevent_req_trigger": 0x7f2130045b50s4_tevent: Added timed event "tevent_req_timedout": 0x7f213025cb90s4_tevent: Running timer event 0x7f213025cb90 "tevent_req_timedout"s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f213001d230s4_tevent: Ending timer event 0x7f213025cb90 "tevent_req_timedout"s4_tevent: Run immediate event "tevent_req_trigger": 0x7f213001d230s4_tevent: Added timed event "tevent_req_timedout": 0x7f213025cb90s4_tevent: Running timer event 0x7f21302a8b10 "tevent_req_timedout"s4_tevent: Destroying timer event 0x7f213025cb90 "tevent_req_timedout"finddcs: No matching CLDAP server founds4_tevent: Ending timer event 0x7f21302a8b10 "tevent_req_timedout"[Thu Jun 09 20:39:38.703506 2016] [:error] [pid 2503] ipa: INFO: [jsonserver_session] admin@: trust_add(u'addomain.com', trust_type=u'ad', trust_secret=u'', all=False, raw=False, version=u'2.156'): RemoteRetrieveError Once again I would be glad to provide entire logs if needed. But would be grateful for suggestions on how to resolve the above error. Do you have IPv6 disabled? www.freeipa.org/page/Active_Directory_trust_setup#IPv6_stack_usage -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Can't establish trust with 2008 AD
The setup is:AD 2008 domain,Latest version of FreeIpa with integrated DNS,As the AD domain is not known to any DNS servers on the network I have created a stub zone in Freeipa integrated dns server addomain.com,and created A-record for DC.addomain.comas well as _ldap.tcp.addomain.com and _kerberos.udp.addomain.comand checked with dig that they resolve correctly, 138/139/145/389 are opened between the servers on both tcp and udp portsipv6 enabled on the FreeIpa server. I am using pre-shared secret to establish the trust Run:ipa trust-add --type=ad addomain.com --trust-secret and receive: ipa: ERROR: CIFS server communication error: code "None", message "NT_STATUS_IO_TIMEOUT" (both may be "None") I've enabled the logs as described in debugging section (I would be glad to forward the whole thing if needed)However, relevant error that I see is : finddcs: DNS SRV response 0 at ''finddcs: performing CLDAP query on s4_tevent: Added timed event "tevent_req_timedout": 0x7f21302a8b10s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f2130025090s4_tevent: Run immediate event "tevent_req_trigger": 0x7f2130025090s4_tevent: Added timed event "tevent_req_timedout": 0x7f213025cb90s4_tevent: Running timer event 0x7f213025cb90 "tevent_req_timedout"s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f2130045b50s4_tevent: Ending timer event 0x7f213025cb90 "tevent_req_timedout"s4_tevent: Run immediate event "tevent_req_trigger": 0x7f2130045b50s4_tevent: Added timed event "tevent_req_timedout": 0x7f213025cb90s4_tevent: Running timer event 0x7f213025cb90 "tevent_req_timedout"s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f213001d230s4_tevent: Ending timer event 0x7f213025cb90 "tevent_req_timedout"s4_tevent: Run immediate event "tevent_req_trigger": 0x7f213001d230s4_tevent: Added timed event "tevent_req_timedout": 0x7f213025cb90s4_tevent: Running timer event 0x7f21302a8b10 "tevent_req_timedout"s4_tevent: Destroying timer event 0x7f213025cb90 "tevent_req_timedout"finddcs: No matching CLDAP server founds4_tevent: Ending timer event 0x7f21302a8b10 "tevent_req_timedout"[Thu Jun 09 20:39:38.703506 2016] [:error] [pid 2503] ipa: INFO: [jsonserver_session] admin@: trust_add(u'addomain.com', trust_type=u'ad', trust_secret=u'', all=False, raw=False, version=u'2.156'): RemoteRetrieveError Once again I would be glad to provide entire logs if needed. But would be grateful for suggestions on how to resolve the above error.-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project