Re: [Freeipa-users] ipa trust-add using password

2016-09-19 Thread Troels Hansen

> If you add 'log level = 50' to /usr/share/ipa/smb.conf.empty, then
> /var/log/httpd/error_log will contain detailed debug information from
> IPA attempts to talk to AD DCs.
> 
> --
> / Alexander Bokovoy


Hi Alexander

I added the log level, and had the domain admin try to create the trust, and 
today it just worked, soo...   not any further on finding out what went wrong 
last week, but the trust got created so not going to spent more time on this.

Anyway, thanks for the help. I have made a mental note on debugging IPA-AD 
trust creation.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] ipa trust-add using password

2016-09-16 Thread Alexander Bokovoy

On Fri, 16 Sep 2016, Troels Hansen wrote:

Hi, we are having some issues creating a IPA-AD trust, using password, and not 
shared secret, because of the error where name routing not getting created on 
AD if using shared secret.

We have a AD domain tree with a top level domain and a domain below that where 
the users are located. We try to join the top level domain as a trust exists 
between those tow domains.

Everything worked in our test setup, where we joined using a shared secret.

We try to join our AD using this command:
ipa trust-add  --type=ad --admin  @ 
--password

However, we receive one of these two error messages:

ipa: ERROR: CIFS server communication error: code "- 1073741712 ",
message "Invalid workstation" (both may be "None")

ipa: ERROR: AD domain controller complains about communication
sequence. It may mean unsynchronized time on both sides, for example

I think the first message was caused by some login restrictions on the user 
used to join, as it seems we don't receive that error massage anymore, and we 
receive the second error every time we try to join.

We have tried pointing it to a specific server with the "--server" option, but 
that didn't change anything.


If you add 'log level = 50' to /usr/share/ipa/smb.conf.empty, then
/var/log/httpd/error_log will contain detailed debug information from
IPA attempts to talk to AD DCs.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project