<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">I'm trying to set up a trust between IPA and Active Directory, and it keeps failing. The problem is the same as this one (https://www.redhat.com/archives/freeipa-users/2014-April/msg00039.html), but the solution is not. In that case, it
was solved by enabling IPv6 in the kernel, and in this case IPv6 is already enabled.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Here's what happens:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"># ipa trust-add --type=ad example.com<o:p></o:p></p>
<p class="MsoNormal">ipa: ERROR: Cannot find specified domain or server name<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">It looks like a DNS problem, and all the suggestions I've seen point to DNS, but from everything I can see, DNS appears to be working. I have the IPA domain set up as a subdomain (csns.example.com) of the AD domain (example.com). Our AD
domain controllers are NOT set up as DNS servers -- we have external, independent DNS servers for that. (Could that be part of the problem?) I am running bind on the IPA server (which is running RHEL6), because all the documentation was written that way. It
is set up as a delegation subdomain of our main domain.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">From the IPA server, dig finds the AD domain controllers:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"># dig SRV _ldap._tcp.example.com<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.1 <<>> SRV _ldap._tcp.example.com<o:p></o:p></p>
<p class="MsoNormal">;; global options: +cmd<o:p></o:p></p>
<p class="MsoNormal">;; Got answer:<o:p></o:p></p>
<p class="MsoNormal">;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8858<o:p></o:p></p>
<p class="MsoNormal">;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 13, ADDITIONAL: 0<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">;; QUESTION SECTION:<o:p></o:p></p>
<p class="MsoNormal">;_ldap._tcp.example.com. IN SRV<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">;; ANSWER SECTION:<o:p></o:p></p>
<p class="MsoNormal">_ldap._tcp.example.com. 600 IN SRV 0 100 389 dc1.example.com.<o:p></o:p></p>
<p class="MsoNormal">_ldap._tcp.example.com. 600 IN SRV 0 100 389 dc2.example.com.<o:p></o:p></p>
<p class="MsoNormal">_ldap._tcp.example.com. 600 IN SRV 0 100 389 dc3.example.com.<o:p></o:p></p>
<p class="MsoNormal">_ldap._tcp.example.com. 600 IN SRV 0 100 389 dc4.example.com.<o:p></o:p></p>
<p class="MsoNormal">_ldap._tcp.example.com. 600 IN SRV 0 100 389 dc5.example.com.<o:p></o:p></p>
<p class="MsoNormal">_ldap._tcp.example.com. 600 IN SRV 0 100 389 dc6.example.com.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">;; AUTHORITY SECTION:<o:p></o:p></p>
<p class="MsoNormal">. 407417 IN NS b.root-servers.net.<o:p></o:p></p>
<p class="MsoNormal">. 407417 IN NS a.root-servers.net.<o:p></o:p></p>
<p class="MsoNormal">. 407417 IN NS h.root-servers.net.<o:p></o:p></p>
<p class="MsoNormal">. 407417 IN NS f.root-servers.net.<o:p></o:p></p>
<p class="MsoNormal">. 407417 IN NS m.root-servers.net.<o:p></o:p></p>
<p class="MsoNormal">. 407417 IN NS k.root-servers.net.<o:p></o:p></p>
<p class="MsoNormal">. 407417 IN NS l.root-servers.net.<o:p></o:p></p>
<p class="MsoNormal">. 407417 IN NS g.root-servers.net.<o:p></o:p></p>
<p class="MsoNormal">. 407417 IN NS e.root-servers.net.<o:p></o:p></p>
<p class="MsoNormal">. 407417 IN NS j.root-servers.net.<o:p></o:p></p>
<p class="MsoNormal">. 407417 IN NS i.root-servers.net.<o:p></o:p></p>
<p class="MsoNormal">. 407417 IN NS d.root-servers.net.<o:p></o:p></p>
<p class="MsoNormal">. 407417 IN NS c.root-servers.net.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">;; Query time: 2 msec<o:p></o:p></p>
<p class="MsoNormal">;; SERVER: 140.233.1.7#53(140.233.1.7)<o:p></o:p></p>
<p class="MsoNormal">;; WHEN: Thu Feb 5 16:38:22 2015<o:p></o:p></p>
<p class="MsoNormal">;; MSG SIZE rcvd: 503<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">And, with nslookup, I can do name lookups on the domain controllers and the DNS servers, and they all find the appropriate IP address. It all works the other way, too. From the domain controllers I can do nslookup on the IPA server. In
fact, every nslookup or ping command I do on any hostname from anyway all works -- it's only the ipa trust-add command that's failing.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I've set log level to 100 in /usr/share/ipa/smb.conf.empty, and here's the output in /var/log/httpd/error_log:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">lpcfg_load: refreshing parameters from /usr/share/ipa/smb.conf.empty<o:p></o:p></p>
<p class="MsoNormal">params.c:pm_process() - Processing configuration file "/usr/share/ipa/smb.conf.empty"<o:p></o:p></p>
<p class="MsoNormal">Processing section "[global]"<o:p></o:p></p>
<p class="MsoNormal">INFO: Current debug levels:<o:p></o:p></p>
<p class="MsoNormal"> all: 100<o:p></o:p></p>
<p class="MsoNormal"> tdb: 100<o:p></o:p></p>
<p class="MsoNormal"> printdrivers: 100<o:p></o:p></p>
<p class="MsoNormal"> lanman: 100<o:p></o:p></p>
<p class="MsoNormal"> smb: 100<o:p></o:p></p>
<p class="MsoNormal"> rpc_parse: 100<o:p></o:p></p>
<p class="MsoNormal"> rpc_srv: 100<o:p></o:p></p>
<p class="MsoNormal"> rpc_cli: 100<o:p></o:p></p>
<p class="MsoNormal"> passdb: 100<o:p></o:p></p>
<p class="MsoNormal"> sam: 100<o:p></o:p></p>
<p class="MsoNormal"> auth: 100<o:p></o:p></p>
<p class="MsoNormal"> winbind: 100<o:p></o:p></p>
<p class="MsoNormal"> vfs: 100<o:p></o:p></p>
<p class="MsoNormal"> idmap: 100<o:p></o:p></p>
<p class="MsoNormal"> quota: 100<o:p></o:p></p>
<p class="MsoNormal"> acls: 100<o:p></o:p></p>
<p class="MsoNormal"> locking: 100<o:p></o:p></p>
<p class="MsoNormal"> msdfs: 100<o:p></o:p></p>
<p class="MsoNormal"> dmapi: 100<o:p></o:p></p>
<p class="MsoNormal"> registry: 100<o:p></o:p></p>
<p class="MsoNormal">pm_process() returned Yes<o:p></o:p></p>
<p class="MsoNormal">Using binding ncacn_np:civet.csns.example.com[,]<o:p></o:p></p>
<p class="MsoNormal">tevent: Added timed event "dcerpc_connect_timeout_handler": 0x7f22f41eeb60<o:p></o:p></p>
<p class="MsoNormal">tevent: Added timed event "composite_trigger": 0x7f22f403d270<o:p></o:p></p>
<p class="MsoNormal">tevent: Added timed event "composite_trigger": 0x7f22f41efdc0<o:p></o:p></p>
<p class="MsoNormal">tevent: Running timer event 0x7f22f403d270 "composite_trigger"<o:p></o:p></p>
<p class="MsoNormal">tevent: Destroying timer event 0x7f22f41efdc0 "composite_trigger"<o:p></o:p></p>
<p class="MsoNormal">Mapped to DCERPC endpoint \pipe\lsarpc<o:p></o:p></p>
<p class="MsoNormal">added interface eth0 ip=140.233.1.7 bcast=140.233.1.255 netmask=255.255.255.0<o:p></o:p></p>
<p class="MsoNormal">added interface eth0 ip=140.233.1.7 bcast=140.233.1.255 netmask=255.255.255.0<o:p></o:p></p>
<p class="MsoNormal">tevent: Ending timer event 0x7f22f403d270 "composite_trigger"<o:p></o:p></p>
<p class="MsoNormal">tevent: Added timed event "connect_multi_timer": 0x7f22f4136d60<o:p></o:p></p>
<p class="MsoNormal">tevent: Schedule immediate event "tevent_req_trigger": 0x7f22f4137690<o:p></o:p></p>
<p class="MsoNormal">tevent: Run immediate event "tevent_req_trigger": 0x7f22f4137690<o:p></o:p></p>
<p class="MsoNormal">tevent: Destroying timer event 0x7f22f4136d60 "connect_multi_timer"<o:p></o:p></p>
<p class="MsoNormal">Socket options:<o:p></o:p></p>
<p class="MsoNormal"> SO_KEEPALIVE = 0<o:p></o:p></p>
<p class="MsoNormal"> SO_REUSEADDR = 0<o:p></o:p></p>
<p class="MsoNormal"> SO_BROADCAST = 0<o:p></o:p></p>
<p class="MsoNormal"> TCP_NODELAY = 1<o:p></o:p></p>
<p class="MsoNormal"> TCP_KEEPCNT = 9<o:p></o:p></p>
<p class="MsoNormal"> TCP_KEEPIDLE = 7200<o:p></o:p></p>
<p class="MsoNormal"> TCP_KEEPINTVL = 75<o:p></o:p></p>
<p class="MsoNormal"> IPTOS_LOWDELAY = 0<o:p></o:p></p>
<p class="MsoNormal"> IPTOS_THROUGHPUT = 0<o:p></o:p></p>
<p class="MsoNormal"> SO_REUSEPORT = 0<o:p></o:p></p>
<p class="MsoNormal"> SO_SNDBUF = 660150<o:p></o:p></p>
<p class="MsoNormal"> SO_RCVBUF = 174758<o:p></o:p></p>
<p class="MsoNormal"> SO_SNDLOWAT = 1<o:p></o:p></p>
<p class="MsoNormal"> SO_RCVLOWAT = 1<o:p></o:p></p>
<p class="MsoNormal"> SO_SNDTIMEO = 0<o:p></o:p></p>
<p class="MsoNormal"> SO_RCVTIMEO = 0<o:p></o:p></p>
<p class="MsoNormal"> TCP_QUICKACK = 1<o:p></o:p></p>
<p class="MsoNormal"> TCP_DEFER_ACCEPT = 0<o:p></o:p></p>
<p class="MsoNormal">tevent: Added timed event "tevent_req_timedout": 0x7f22f403f580<o:p></o:p></p>
<p class="MsoNormal">tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7f22f425aee0<o:p></o:p></p>
<p class="MsoNormal">tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f22f425aee0<o:p></o:p></p>
<p class="MsoNormal">tevent: Destroying timer event 0x7f22f403f580 "tevent_req_timedout"<o:p></o:p></p>
<p class="MsoNormal">Starting GENSEC mechanism spnego<o:p></o:p></p>
<p class="MsoNormal">Starting GENSEC submechanism gssapi_krb5<o:p></o:p></p>
<p class="MsoNormal">Ticket in credentials cache for admin@CSNS.EXAMPLE.COM will expire in 86371 secs<o:p></o:p></p>
<p class="MsoNormal">tevent: Added timed event "tevent_req_timedout": 0x7f22f42c2dd0<o:p></o:p></p>
<p class="MsoNormal">tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7f22f425aee0<o:p></o:p></p>
<p class="MsoNormal">tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f22f425aee0<o:p></o:p></p>
<p class="MsoNormal">tevent: Destroying timer event 0x7f22f42c2dd0 "tevent_req_timedout"<o:p></o:p></p>
<p class="MsoNormal">gensec_gssapi: NO credentials were delegated<o:p></o:p></p>
<p class="MsoNormal">GSSAPI Connection will be cryptographically sealed<o:p></o:p></p>
<p class="MsoNormal">tevent: Added timed event "tevent_req_timedout": 0x7f22f4041110<o:p></o:p></p>
<p class="MsoNormal">tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7f22f425aee0<o:p></o:p></p>
<p class="MsoNormal">tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f22f425aee0<o:p></o:p></p>
<p class="MsoNormal">tevent: Destroying timer event 0x7f22f4041110 "tevent_req_timedout"<o:p></o:p></p>
<p class="MsoNormal">tevent: Added timed event "tevent_req_timedout": 0x7f22f431dbd0<o:p></o:p></p>
<p class="MsoNormal">tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7f22f425aee0<o:p></o:p></p>
<p class="MsoNormal">tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f22f425aee0<o:p></o:p></p>
<p class="MsoNormal">tevent: Destroying timer event 0x7f22f431dbd0 "tevent_req_timedout"<o:p></o:p></p>
<p class="MsoNormal">tevent: Destroying timer event 0x7f22f41eeb60 "dcerpc_connect_timeout_handler"<o:p></o:p></p>
<p class="MsoNormal">[Thu Feb 05 16:50:18 2015] [error] ipa: INFO: admin@CSNS.EXAMPLE.COM: trust_add(u'example.com', trust_type=u'ad', range_size=200000, all=False, raw=False, version=u'2.49'): NotFound<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">What am I missing?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">David Guertin<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Information Technology Services<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Middlebury College<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Middlebury, VT 05753 USA<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>