[Freeipa-devel] [PATCH] 0150: make sure SID is always returned as unicode from dcerpc.py
Martin Kosek
mkosek at redhat.com
Wed Mar 12 16:42:13 UTC 2014
On 03/12/2014 04:56 PM, Alexander Bokovoy wrote:
> Hi,
>
> Trusted domain SID could be obtained through different means. When it is
> fetched from the AD DC via LDAP, it needs to be extracted from a default
> context and explicitly converted to unicode.
>
> https://fedorahosted.org/freeipa/ticket/4246
This only works for ADs without subdomains. When there are subdomains, AD does
not allow us to retrieve them and command fails right after creating the truyst
trust object:
# echo Secret123 | ipa trust-add tbad.example.com --trust-secretipa: ERROR: AD
domain controller complains about communication sequence. It may mean
unsynchronized time on both sides, for example
# ipa trust-fetch-domains tbad.example.com
ipa: ERROR: AD domain controller complains about communication sequence. It may
mean unsynchronized time on both sides, for example
When I refreshed FreeIPA domains on AD said, it started working again:
# ipa trust-fetch-domains tbad.example.com
--------------------------------------------
List of trust domains successfully refreshed
--------------------------------------------
Realm name: child.tbad.example.com
Domain NetBIOS name: CHILD
Domain Security Identifier: S-1-5-21-972585150-1048339146-1910910075
----------------------------
Number of entries returned 1
----------------------------
Martin
More information about the Freeipa-devel
mailing list