On Wed, 27 Jan 2016, Nathan Peters wrote:
I'm trying to create a trust with AD on FreeIPA 4.3.0 domain at domain level 1.
When I try though the cli I get this error :
ipa: ERROR: communication with CIFS server was unsuccessful
When I try through the web ui I get :
IPA Error 4016: RemoteRetrieveError
Following debugging steps and setting loglevel to 100 gives a whole pile of
stuff that doesn't seem to indicate the actual cause of the failure.
It ends with these errors :
lsa_lsaRSetForestTrustInformation: struct lsa_lsaRSetForestTrustInformation
out: struct lsa_lsaRSetForestTrustInformation
collision_info : *
collision_info : NULL
result : NT_STATUS_INVALID_PARAMETER
rpc reply data:
[0000] 00 00 00 00 0D 00 00 C0 ........
lsa_QueryTrustedDomainInfoByName: struct lsa_QueryTrustedDomainInfoByName
in: struct lsa_QueryTrustedDomainInfoByName
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid :
0000000d-0000-0000-a856-ba5c507f0000
trusted_domain : *
trusted_domain: struct lsa_String
length : 0x002c (44)
size : 0x002c (44)
string : *
string : 'office.mydomain.net'
level : LSA_TRUSTED_DOMAIN_INFO_FULL_INFO (8)
rpc request data:
lsa_QueryTrustedDomainInfoByName: struct lsa_QueryTrustedDomainInfoByName
out: struct lsa_QueryTrustedDomainInfoByName
info : *
info : NULL
result : NT_STATUS_OBJECT_NAME_NOT_FOUND
rpc reply data:
[0000] 00 00 00 00 34 00 00 C0 ....4...
lsa_CreateTrustedDomainEx2: struct lsa_CreateTrustedDomainEx2
in: struct lsa_CreateTrustedDomainEx2
policy_handle : *
policy_handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid :
0000000d-0000-0000-a856-ba5c507f0000
info : *
info: struct lsa_TrustDomainInfoInfoEx
domain_name: struct lsa_StringLarge
length : 0x002c (44)
size : 0x002e (46)
string : *
string : 'office.mydomain.net'
netbios_name: struct lsa_StringLarge
length : 0x000c (12)
size : 0x000e (14)
string : *
string : 'OFFICE'
sid : *
sid :
S-1-5-21-3104402935-1443057687-1106712449
trust_direction : 0x00000001 (1)
1: LSA_TRUST_DIRECTION_INBOUND
0: LSA_TRUST_DIRECTION_OUTBOUND
trust_type : LSA_TRUST_TYPE_UPLEVEL (2)
trust_attributes : 0x00000000 (0)
0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE
0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY
0: LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN
0: LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION
0: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST
0: LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL
0: LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION
auth_info_internal : *
auth_info_internal: struct lsa_TrustDomainInfoAuthInfoInternal
auth_blob: struct lsa_DATA_BUF2
size : 0x00000440 (1088)
data : *
data: ARRAY(1088)
lsa_CreateTrustedDomainEx2: struct lsa_CreateTrustedDomainEx2
out: struct lsa_CreateTrustedDomainEx2
trustdom_handle : *
trustdom_handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid :
00000000-0000-0000-0000-000000000000
result : NT_STATUS_UNSUCCESSFUL
rpc reply data:
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
[0010] 00 00 00 00 01 00 00 C0 ........
[Tue Jan 26 21:59:34.411382 2016] [wsgi:error] [pid 29762] ipa: INFO:
[jsonserver_kerb] ad...@dev-mydomain.net:
trust_add(u'office.mydomain.net', trust_type=u'ad',
realm_admin=u'Administrator', realm_passwd=u'********', all=False,
raw=False, version=u'2.163'): RemoteRetrieveError
I need to have a better picture of your AD topology. It is unclear why
AD DC chosen for communication denies trust creation request but there
might be multiple reasons.
Unfortunately, I'll have no time for investigation until February 12th
or so.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project