On Wed, 27 Jan 2016, Nathan Peters wrote:
I'm trying to create a trust with AD on FreeIPA 4.3.0 domain at domain level 1.When I try though the cli I get this error : ipa: ERROR: communication with CIFS server was unsuccessful When I try through the web ui I get : IPA Error 4016: RemoteRetrieveError Following debugging steps and setting loglevel to 100 gives a whole pile of stuff that doesn't seem to indicate the actual cause of the failure. It ends with these errors : lsa_lsaRSetForestTrustInformation: struct lsa_lsaRSetForestTrustInformation out: struct lsa_lsaRSetForestTrustInformation collision_info : * collision_info : NULL result : NT_STATUS_INVALID_PARAMETER rpc reply data: [0000] 00 00 00 00 0D 00 00 C0 ........ lsa_QueryTrustedDomainInfoByName: struct lsa_QueryTrustedDomainInfoByName in: struct lsa_QueryTrustedDomainInfoByName handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 0000000d-0000-0000-a856-ba5c507f0000 trusted_domain : * trusted_domain: struct lsa_String length : 0x002c (44) size : 0x002c (44) string : * string : 'office.mydomain.net' level : LSA_TRUSTED_DOMAIN_INFO_FULL_INFO (8) rpc request data: lsa_QueryTrustedDomainInfoByName: struct lsa_QueryTrustedDomainInfoByName out: struct lsa_QueryTrustedDomainInfoByName info : * info : NULL result : NT_STATUS_OBJECT_NAME_NOT_FOUND rpc reply data: [0000] 00 00 00 00 34 00 00 C0 ....4... lsa_CreateTrustedDomainEx2: struct lsa_CreateTrustedDomainEx2 in: struct lsa_CreateTrustedDomainEx2 policy_handle : * policy_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 0000000d-0000-0000-a856-ba5c507f0000 info : * info: struct lsa_TrustDomainInfoInfoEx domain_name: struct lsa_StringLarge length : 0x002c (44) size : 0x002e (46) string : * string : 'office.mydomain.net' netbios_name: struct lsa_StringLarge length : 0x000c (12) size : 0x000e (14) string : * string : 'OFFICE' sid : * sid : S-1-5-21-3104402935-1443057687-1106712449 trust_direction : 0x00000001 (1) 1: LSA_TRUST_DIRECTION_INBOUND 0: LSA_TRUST_DIRECTION_OUTBOUND trust_type : LSA_TRUST_TYPE_UPLEVEL (2) trust_attributes : 0x00000000 (0) 0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE 0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY 0: LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN 0: LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE 0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION 0: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST 0: LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL 0: LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION auth_info_internal : * auth_info_internal: struct lsa_TrustDomainInfoAuthInfoInternal auth_blob: struct lsa_DATA_BUF2 size : 0x00000440 (1088) data : * data: ARRAY(1088) lsa_CreateTrustedDomainEx2: struct lsa_CreateTrustedDomainEx2 out: struct lsa_CreateTrustedDomainEx2 trustdom_handle : * trustdom_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : NT_STATUS_UNSUCCESSFUL rpc reply data: [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 01 00 00 C0 ........ [Tue Jan 26 21:59:34.411382 2016] [wsgi:error] [pid 29762] ipa: INFO: [jsonserver_kerb] ad...@dev-mydomain.net: trust_add(u'office.mydomain.net', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', all=False, raw=False, version=u'2.163'): RemoteRetrieveError
I need to have a better picture of your AD topology. It is unclear why AD DC chosen for communication denies trust creation request but there might be multiple reasons. Unfortunately, I'll have no time for investigation until February 12th or so. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
