<div dir="ltr"><div><br></div><div class="gmail_extra"><br><div class="gmail_quote">2015-02-27 11:36 GMT+02:00 Alexander Bokovoy <span dir="ltr"><<a href="mailto:abokovoy@redhat.com" target="_blank">abokovoy@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div class=""><div class="h5">On Fri, 27 Feb 2015, mete bilgin wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
2015-02-27 11:05 GMT+02:00 Martin Kosek <<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a>>:<br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
On 02/27/2015 10:01 AM, mete bilgin wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
2015-02-27 10:45 GMT+02:00 Martin Kosek <<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a><br>
<mailto:<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a>>>:<br>
<br>
On 02/27/2015 09:39 AM, mete bilgin wrote:<br>
<br>
<br>
<br>
2015-02-27 10:33 GMT+02:00 Martin Kosek <<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a><br>
<mailto:<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a>><br>
<mailto:<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a> <mailto:<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a>>>>:<br>
<br>
On 02/27/2015 09:30 AM, mete bilgin wrote:<br>
<br>
Hello,<br>
<br>
I'm trying to install ipa-server with trust (Win 2008R2).<br>
trustdomain-find will<br>
work but when i try to trust-fetch-domains "ipa: ERROR:<br>
AD domain<br>
controller<br>
complains about communication sequence. It may mean<br>
unsynchronized time<br>
on both<br>
sides, for example" return. Force to reinstall adtrust.<br>
Have<br>
any idea<br>
where is<br>
the problem?<br>
<br>
<br>
You probably done that, but did you indeed verify that the<br>
time on<br>
both<br>
your IPA server and AD are the same?<br>
<br>
<a href="http://www.freeipa.org/page/____Howto/IPAv3_AD_trust_setup#_" target="_blank">http://www.freeipa.org/page/__<u></u>__Howto/IPAv3_AD_trust_setup#_</a><br>
___Date.2Ftime_settings<br>
<<a href="http://www.freeipa.org/page/__Howto/IPAv3_AD_trust_setup#__" target="_blank">http://www.freeipa.org/page/_<u></u>_Howto/IPAv3_AD_trust_setup#__</a><br>
Date.2Ftime_settings><br>
<br>
<<a href="http://www.freeipa.org/page/__Howto/IPAv3_AD_trust_setup#__" target="_blank">http://www.freeipa.org/page/_<u></u>_Howto/IPAv3_AD_trust_setup#__</a><br>
Date.2Ftime_settings<br>
<<a href="http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#" target="_blank">http://www.freeipa.org/page/<u></u>Howto/IPAv3_AD_trust_setup#</a><br>
Date.2Ftime_settings>><br>
<br>
Martin<br>
<br>
Yes i did that.<br>
[root@ipa01 log]# ntpdate -u<br>
27 Feb 10:37:00 ntpdate[11281]: adjust time server 192.168.12.239<br>
offset<br>
-0.016979 sec<br>
<br>
By the way,<br>
#wbinfo --online-status<br>
<br>
BUILTIN : online<br>
ipadomain: online<br>
addomain : offline<br>
<br>
<br>
Right. Did you also check the actual AD? Especially when AD is in a<br>
VM, or<br>
of if for example it's time zone is wrong, the UTC time may not match.<br>
<br>
Martin<br>
<br>
On AD time zone (UTC+02:00) Istanbul and the same time with ipa server.<br>
<br>
<br>
</blockquote>
Ok, thanks. It was worth a try. If this is the case, I think you will<br>
simply need to follow our guide for debugging Trusts and send us the logs:<br>
<br>
<a href="http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Debugging_trust" target="_blank">http://www.freeipa.org/page/<u></u>Howto/IPAv3_AD_trust_setup#<u></u>Debugging_trust</a><br>
<br>
Thanks,<br>
Martin<br>
<br>
</blockquote>
<br>
Hi,<br>
<br>
I open debug and try to understand but, i can not :( Here the logs.<br>
<br>
Thank a lot.<br>
<br>
<br>
Error_log<br>
<br>
[Fri Feb 27 11:08:48.<a href="tel:740996%202015" value="+17409962015" target="_blank">740996 2015</a>] [:error] [pid 5367] ipa: INFO:<br>
<a href="mailto:admin@IPDOMAIN.COM" target="_blank">admin@IPDOMAIN.COM</a>: ping(version=u'2.51'): SUCCESS<br>
lpcfg_load: refreshing parameters from /usr/share/ipa/smb.conf.empty<br>
params.c:pm_process() - Processing configuration file<br>
"/usr/share/ipa/smb.conf.<u></u>empty"<br>
Processing section "[global]"<br>
INFO: Current debug levels:<br>
all: 100<br>
tdb: 100<br>
printdrivers: 100<br>
lanman: 100<br>
smb: 100<br>
rpc_parse: 100<br>
rpc_srv: 100<br>
rpc_cli: 100<br>
passdb: 100<br>
sam: 100<br>
auth: 100<br>
winbind: 100<br>
vfs: 100<br>
idmap: 100<br>
quota: 100<br>
acls: 100<br>
locking: 100<br>
msdfs: 100<br>
dmapi: 100<br>
registry: 100<br>
scavenger: 100<br>
dns: 100<br>
ldb: 100<br>
pm_process() returned Yes<br>
Using binding ncacn_np:<a href="http://ipa01.IPDOMAIN.com" target="_blank">ipa01.IPDOMAIN.com</a>[,]<br>
s4_tevent: Added timed event "dcerpc_connect_timeout_<u></u>handler":<br>
0x7fed9c334520<br>
s4_tevent: Added timed event "composite_trigger": 0x7fed9c3ec530<br>
s4_tevent: Added timed event "composite_trigger": 0x7fed9c2f6310<br>
s4_tevent: Running timer event 0x7fed9c3ec530 "composite_trigger"<br>
s4_tevent: Destroying timer event 0x7fed9c2f6310 "composite_trigger"<br>
Mapped to DCERPC endpoint \pipe\lsarpc<br>
added interface docker0 ip=172.17.42.1 bcast=172.17.255.255<br>
netmask=255.255.0.0<br>
added interface ens192 ip=192.168.12.27 bcast=192.168.12.255<br>
netmask=255.255.255.0<br>
added interface docker0 ip=172.17.42.1 bcast=172.17.255.255<br>
netmask=255.255.0.0<br>
added interface ens192 ip=192.168.12.27 bcast=192.168.12.255<br>
netmask=255.255.255.0<br>
s4_tevent: Ending timer event 0x7fed9c3ec530 "composite_trigger"<br>
s4_tevent: Added timed event "connect_multi_timer": 0x7fed9c4cb560<br>
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fed9c4cb0b0<br>
s4_tevent: Run immediate event "tevent_req_trigger": 0x7fed9c4cb0b0<br>
s4_tevent: Destroying timer event 0x7fed9c4cb560 "connect_multi_timer"<br>
Socket options:<br>
SO_KEEPALIVE = 0<br>
SO_REUSEADDR = 0<br>
SO_BROADCAST = 0<br>
TCP_NODELAY = 1<br>
TCP_KEEPCNT = 9<br>
TCP_KEEPIDLE = 7200<br>
TCP_KEEPINTVL = 75<br>
IPTOS_LOWDELAY = 0<br>
IPTOS_THROUGHPUT = 0<br>
SO_REUSEPORT = 0<br>
SO_SNDBUF = 663430<br>
SO_RCVBUF = 261942<br>
SO_SNDLOWAT = 1<br>
SO_RCVLOWAT = 1<br>
SO_SNDTIMEO = 0<br>
SO_RCVTIMEO = 0<br>
TCP_QUICKACK = 1<br>
TCP_DEFER_ACCEPT = 0<br>
s4_tevent: Added timed event "tevent_req_timedout": 0x7fed9c4caa80<br>
s4_tevent: Schedule immediate event "tevent_queue_immediate_<u></u>trigger":<br>
0x7fed9c4cb560<br>
s4_tevent: Run immediate event "tevent_queue_immediate_<u></u>trigger":<br>
0x7fed9c4cb560<br>
s4_tevent: Destroying timer event 0x7fed9c4caa80 "tevent_req_timedout"<br>
Starting GENSEC mechanism spnego<br>
Starting GENSEC submechanism gssapi_krb5<br>
Ticket in credentials cache for @IPDOMAIN will expire in 80256 secs<br>
s4_tevent: Added timed event "tevent_req_timedout": 0x7fed9c4d0960<br>
s4_tevent: Schedule immediate event "tevent_queue_immediate_<u></u>trigger":<br>
0x7fed9c4cb560<br>
s4_tevent: Run immediate event "tevent_queue_immediate_<u></u>trigger":<br>
0x7fed9c4cb560<br>
s4_tevent: Destroying timer event 0x7fed9c4d0960 "tevent_req_timedout"<br>
gensec_gssapi: NO credentials were delegated<br>
GSSAPI Connection will be cryptographically sealed<br>
s4_tevent: Added timed event "tevent_req_timedout": 0x7fed9c4d0360<br>
s4_tevent: Schedule immediate event "tevent_queue_immediate_<u></u>trigger":<br>
0x7fed9c4cb560<br>
s4_tevent: Run immediate event "tevent_queue_immediate_<u></u>trigger":<br>
0x7fed9c4cb560<br>
s4_tevent: Destroying timer event 0x7fed9c4d0360 "tevent_req_timedout"<br>
s4_tevent: Added timed event "tevent_req_timedout": 0x7fed9c4cf550<br>
s4_tevent: Schedule immediate event "tevent_queue_immediate_<u></u>trigger":<br>
0x7fed9c4cb560<br>
s4_tevent: Run immediate event "tevent_queue_immediate_<u></u>trigger":<br>
0x7fed9c4cb560<br>
s4_tevent: Destroying timer event 0x7fed9c4cf550 "tevent_req_timedout"<br>
num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0,<br>
data_total=72, this_data=72, max_data=65535, param_offset=84, param_pad=2,<br>
param_disp=0, data_offset=84, data_pad=0, data_disp=0<br>
s4_tevent: Added timed event "tevent_req_timedout": 0x7fed9c4d9a30<br>
s4_tevent: Schedule immediate event "tevent_queue_immediate_<u></u>trigger":<br>
0x7fed9c4cb560<br>
s4_tevent: Added timed event "dcerpc_timeout_handler": 0x7fed9c4d9df0<br>
s4_tevent: Run immediate event "tevent_queue_immediate_<u></u>trigger":<br>
0x7fed9c4cb560<br>
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fed9c4d9640<br>
s4_tevent: Run immediate event "tevent_req_trigger": 0x7fed9c4d9640<br>
s4_tevent: Destroying timer event 0x7fed9c4d9a30 "tevent_req_timedout"<br>
s4_tevent: Destroying timer event 0x7fed9c4d9df0 "dcerpc_timeout_handler"<br>
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fed9c3ec8a0<br>
s4_tevent: Run immediate event "tevent_req_trigger": 0x7fed9c3ec8a0<br>
s4_tevent: Destroying timer event 0x7fed9c334520<br>
"dcerpc_connect_timeout_<u></u>handler"<br>
lsa_OpenPolicy2: struct lsa_OpenPolicy2<br>
in: struct lsa_OpenPolicy2<br>
system_name : *<br>
system_name : ''<br>
attr : *<br>
attr: struct lsa_ObjectAttribute<br>
len : 0x00000000 (0)<br>
root_dir : NULL<br>
object_name : NULL<br>
attributes : 0x00000000 (0)<br>
sec_desc : NULL<br>
sec_qos : *<br>
sec_qos: struct lsa_QosInfo<br>
len : 0x00000000 (0)<br>
impersonation_level : 0x0000 (0)<br>
context_mode : 0x00 (0)<br>
effective_only : 0x00 (0)<br>
access_mask : 0x02000000 (33554432)<br>
0: LSA_POLICY_VIEW_LOCAL_<u></u>INFORMATION<br>
0: LSA_POLICY_VIEW_AUDIT_<u></u>INFORMATION<br>
0: LSA_POLICY_GET_PRIVATE_<u></u>INFORMATION<br>
0: LSA_POLICY_TRUST_ADMIN<br>
0: LSA_POLICY_CREATE_ACCOUNT<br>
0: LSA_POLICY_CREATE_SECRET<br>
0: LSA_POLICY_CREATE_PRIVILEGE<br>
0: LSA_POLICY_SET_DEFAULT_QUOTA_<u></u>LIMITS<br>
0: LSA_POLICY_SET_AUDIT_<u></u>REQUIREMENTS<br>
0: LSA_POLICY_AUDIT_LOG_ADMIN<br>
0: LSA_POLICY_SERVER_ADMIN<br>
0: LSA_POLICY_LOOKUP_NAMES<br>
0: LSA_POLICY_NOTIFICATION<br>
rpc request data:<br>
[0000] 00 00 02 00 01 00 00 00 00 00 00 00 01 00 00 00 ........ ........<br>
[0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........<br>
[0020] 00 00 00 00 00 00 00 00 04 00 02 00 00 00 00 00 ........ ........<br>
[0030] 00 00 00 00 00 00 00 02 ........<br>
s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fed9c2f22c0<br>
s4_tevent: Added timed event "dcerpc_timeout_handler": 0x7fed9c4d0be0<br>
s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fed9c2f22c0<br>
s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fed9c2f22c0<br>
num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0,<br>
data_total=80, this_data=80, max_data=4280, param_offset=84, param_pad=2,<br>
param_disp=0, data_offset=84, data_pad=0, data_disp=0<br>
s4_tevent: Added timed event "tevent_req_timedout": 0x7fed9c4d9d00<br>
s4_tevent: Schedule immediate event "tevent_queue_immediate_<u></u>trigger":<br>
0x7fed9c4cb560<br>
s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fed9c2f22c0<br>
s4_tevent: Run immediate event "tevent_queue_immediate_<u></u>trigger":<br>
0x7fed9c4cb560<br>
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fed9c4d9910<br>
s4_tevent: Run immediate event "tevent_req_trigger": 0x7fed9c4d9910<br>
s4_tevent: Destroying timer event 0x7fed9c4d9d00 "tevent_req_timedout"<br>
s4_tevent: Destroying timer event 0x7fed9c4d0be0 "dcerpc_timeout_handler"<br>
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fed9c3ec8a0<br>
s4_tevent: Run immediate event "tevent_req_trigger": 0x7fed9c3ec8a0<br>
lsa_OpenPolicy2: struct lsa_OpenPolicy2<br>
out: struct lsa_OpenPolicy2<br>
handle : *<br>
handle: struct policy_handle<br>
handle_type : 0x00000000 (0)<br>
uuid :<br>
00000014-0000-0000-f054-<u></u>20348a2a0000<br>
result : NT_STATUS_OK<br>
rpc reply data:<br>
[0000] 00 00 00 00 14 00 00 00 00 00 00 00 F0 54 20 34 ........ .....T 4<br>
[0010] 8A 2A 00 00 00 00 00 00 .*......<br>
lsa_QueryInfoPolicy2: struct lsa_QueryInfoPolicy2<br>
in: struct lsa_QueryInfoPolicy2<br>
handle : *<br>
handle: struct policy_handle<br>
handle_type : 0x00000000 (0)<br>
uuid :<br>
00000014-0000-0000-f054-<u></u>20348a2a0000<br>
level : LSA_POLICY_INFO_DNS (12)<br>
rpc request data:<br>
[0000] 00 00 00 00 14 00 00 00 00 00 00 00 F0 54 20 34 ........ .....T 4<br>
[0010] 8A 2A 00 00 0C 00 .*....<br>
s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fed9c2f22c0<br>
s4_tevent: Added timed event "dcerpc_timeout_handler": 0x7fed9c3ec350<br>
s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fed9c2f22c0<br>
s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fed9c2f22c0<br>
num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0,<br>
data_total=46, this_data=46, max_data=4280, param_offset=84, param_pad=2,<br>
param_disp=0, data_offset=84, data_pad=0, data_disp=0<br>
s4_tevent: Added timed event "tevent_req_timedout": 0x7fed9c4d9ec0<br>
s4_tevent: Schedule immediate event "tevent_queue_immediate_<u></u>trigger":<br>
0x7fed9c4cb560<br>
s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fed9c2f22c0<br>
s4_tevent: Run immediate event "tevent_queue_immediate_<u></u>trigger":<br>
0x7fed9c4cb560<br>
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fed9c4d9af0<br>
s4_tevent: Run immediate event "tevent_req_trigger": 0x7fed9c4d9af0<br>
s4_tevent: Destroying timer event 0x7fed9c4d9ec0 "tevent_req_timedout"<br>
s4_tevent: Destroying timer event 0x7fed9c3ec350 "dcerpc_timeout_handler"<br>
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fed9c4d0ad0<br>
s4_tevent: Run immediate event "tevent_req_trigger": 0x7fed9c4d0ad0<br>
lsa_QueryInfoPolicy2: struct lsa_QueryInfoPolicy2<br>
out: struct lsa_QueryInfoPolicy2<br>
info : *<br>
info : *<br>
info : union<br>
lsa_PolicyInformation(case 12)<br>
dns: struct lsa_DnsDomainInfo<br>
name: struct lsa_StringLarge<br>
length : 0x0010 (16)<br>
size : 0x0012 (18)<br>
string : *<br>
string : 'IPDOMAIN'<br>
dns_domain: struct lsa_StringLarge<br>
length : 0x0018 (24)<br>
size : 0x001a (26)<br>
string : *<br>
string : 'IPDOMAIN.com'<br>
dns_forest: struct lsa_StringLarge<br>
length : 0x0018 (24)<br>
size : 0x001a (26)<br>
string : *<br>
string : 'IPDOMAIN.com'<br>
domain_guid :<br>
00000015-e851-c207-0dd0-<u></u>a20419e2e2c7<br>
sid : *<br>
sid :<br>
S-1-5-21-3255298129-77778957-<u></u>3353535001<br>
result : NT_STATUS_OK<br>
rpc reply data:<br>
[0000] 00 00 02 00 0C 00 00 00 10 00 12 00 04 00 02 00 ........ ........<br>
[0010] 18 00 1A 00 08 00 02 00 18 00 1A 00 0C 00 02 00 ........ ........<br>
[0020] 15 00 00 00 51 E8 07 C2 0D D0 A2 04 19 E2 E2 C7 ....Q... ........<br>
[0030] 10 00 02 00 09 00 00 00 00 00 00 00 08 00 00 00 ........ ........<br>
[0040] 42 00 49 00 4C 00 59 00 4F 00 4E 00 45 00 52 00 B.I.L.Y. O.N.E.R.<br>
[0050] 0D 00 00 00 00 00 00 00 0C 00 00 00 62 00 69 00 ........ ....b.i.<br>
[0060] 6C 00 79 00 6F 00 6E 00 65 00 72 00 2E 00 63 00 l.y.o.n. e.r...c.<br>
[0070] 6F 00 6D 00 0D 00 00 00 00 00 00 00 0C 00 00 00 o.m..... ........<br>
[0080] 62 00 69 00 6C 00 79 00 6F 00 6E 00 65 00 72 00 b.i.l.y. o.n.e.r.<br>
[0090] 2E 00 63 00 6F 00 6D 00 04 00 00 00 01 04 00 00 ..c.o.m. ........<br>
[00A0] 00 00 00 05 15 00 00 00 51 E8 07 C2 0D D0 A2 04 ........ Q.......<br>
[00B0] 19 E2 E2 C7 00 00 00 00 ........<br>
lsa_QueryInfoPolicy2: struct lsa_QueryInfoPolicy2<br>
in: struct lsa_QueryInfoPolicy2<br>
handle : *<br>
handle: struct policy_handle<br>
handle_type : 0x00000000 (0)<br>
uuid :<br>
00000014-0000-0000-f054-<u></u>20348a2a0000<br>
level : LSA_POLICY_INFO_ROLE (6)<br>
rpc request data:<br>
[0000] 00 00 00 00 14 00 00 00 00 00 00 00 F0 54 20 34 ........ .....T 4<br>
[0010] 8A 2A 00 00 06 00 .*....<br>
s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fed9c2f22c0<br>
s4_tevent: Added timed event "dcerpc_timeout_handler": 0x7fed9c4d0f90<br>
s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fed9c2f22c0<br>
s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fed9c2f22c0<br>
num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0,<br>
data_total=46, this_data=46, max_data=4280, param_offset=84, param_pad=2,<br>
param_disp=0, data_offset=84, data_pad=0, data_disp=0<br>
s4_tevent: Added timed event "tevent_req_timedout": 0x7fed9c4da450<br>
s4_tevent: Schedule immediate event "tevent_queue_immediate_<u></u>trigger":<br>
0x7fed9c4cb560<br>
s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fed9c2f22c0<br>
s4_tevent: Run immediate event "tevent_queue_immediate_<u></u>trigger":<br>
0x7fed9c4cb560<br>
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fed9c4d9fe0<br>
s4_tevent: Run immediate event "tevent_req_trigger": 0x7fed9c4d9fe0<br>
s4_tevent: Destroying timer event 0x7fed9c4da450 "tevent_req_timedout"<br>
s4_tevent: Destroying timer event 0x7fed9c4d0f90 "dcerpc_timeout_handler"<br>
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fed9c3ec3e0<br>
s4_tevent: Run immediate event "tevent_req_trigger": 0x7fed9c3ec3e0<br>
lsa_QueryInfoPolicy2: struct lsa_QueryInfoPolicy2<br>
out: struct lsa_QueryInfoPolicy2<br>
info : *<br>
info : *<br>
info : union<br>
lsa_PolicyInformation(case 6)<br>
role: struct lsa_ServerRole<br>
role : LSA_ROLE_PRIMARY (3)<br>
result : NT_STATUS_OK<br>
rpc reply data:<br>
[0000] 00 00 02 00 06 00 00 00 03 00 00 00 00 00 00 00 ........ ........<br>
lpcfg_load: refreshing parameters from /usr/share/ipa/smb.conf.empty<br>
params.c:pm_process() - Processing configuration file<br>
"/usr/share/ipa/smb.conf.<u></u>empty"<br>
Processing section "[global]"<br>
INFO: Current debug levels:<br>
all: 100<br>
tdb: 100<br>
printdrivers: 100<br>
lanman: 100<br>
smb: 100<br>
rpc_parse: 100<br>
rpc_srv: 100<br>
rpc_cli: 100<br>
passdb: 100<br>
sam: 100<br>
auth: 100<br>
winbind: 100<br>
vfs: 100<br>
idmap: 100<br>
quota: 100<br>
acls: 100<br>
locking: 100<br>
msdfs: 100<br>
dmapi: 100<br>
registry: 100<br>
scavenger: 100<br>
dns: 100<br>
ldb: 100<br>
pm_process() returned Yes<br>
added interface docker0 ip=172.17.42.1 bcast=172.17.255.255<br>
netmask=255.255.0.0<br>
added interface ens192 ip=192.168.12.27 bcast=192.168.12.255<br>
netmask=255.255.255.0<br>
added interface docker0 ip=172.17.42.1 bcast=172.17.255.255<br>
netmask=255.255.0.0<br>
added interface ens192 ip=192.168.12.27 bcast=192.168.12.255<br>
netmask=255.255.255.0<br>
added interface docker0 ip=172.17.42.1 bcast=172.17.255.255<br>
netmask=255.255.0.0<br>
added interface ens192 ip=192.168.12.27 bcast=192.168.12.255<br>
netmask=255.255.255.0<br>
added interface docker0 ip=172.17.42.1 bcast=172.17.255.255<br>
netmask=255.255.0.0<br>
added interface ens192 ip=192.168.12.27 bcast=192.168.12.255<br>
netmask=255.255.255.0<br>
finddcs: searching for a DC by DNS domain <a href="http://addomain.com" target="_blank">addomain.com</a><br>
finddcs: looking for SRV records for _ldap._<a href="http://tcp.addomain.com" target="_blank">tcp.addomain.com</a><br>
ads_dns_lookup_srv: 3 records returned in the answer section.<br>
ads_dns_parse_rr_srv: Parsed <a href="http://ad.addomain.com" target="_blank">ad.addomain.com</a> [0, 100, 389]<br>
ads_dns_parse_rr_srv: Parsed <a href="http://kratos.addomain.com" target="_blank">kratos.addomain.com</a> [0, 100, 389]<br>
ads_dns_parse_rr_srv: Parsed <a href="http://beatrice.addomain.com" target="_blank">beatrice.addomain.com</a> [0, 100, 389]<br>
Addrs = 192.168.12.236@389/ad,172.16.<u></u>50.70@389/kratos,192.168.12.<u></u>239@389<br>
/beatrice<br>
finddcs: DNS SRV response 0 at '192.168.12.236'<br>
finddcs: DNS SRV response 1 at '172.16.50.70'<br>
finddcs: DNS SRV response 2 at '192.168.12.239'<br>
finddcs: performing CLDAP query on 192.168.12.236<br>
s4_tevent: Added timed event "tevent_req_timedout": 0x7fed9c4d6230<br>
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fed9c4d66e0<br>
s4_tevent: Run immediate event "tevent_req_trigger": 0x7fed9c4d66e0<br>
s4_tevent: Added timed event "tevent_req_timedout": 0x7fed9c4d69b0<br>
s4_tevent: Destroying timer event 0x7fed9c4d69b0 "tevent_req_timedout"<br>
s4_tevent: Destroying timer event 0x7fed9c4d6230 "tevent_req_timedout"<br>
&response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX<br>
command : LOGON_SAM_LOGON_RESPONSE_EX (23)<br>
sbz : 0x0000 (0)<br>
server_type : 0x000031fd (12797)<br>
1: NBT_SERVER_PDC<br>
1: NBT_SERVER_GC<br>
1: NBT_SERVER_LDAP<br>
1: NBT_SERVER_DS<br>
1: NBT_SERVER_KDC<br>
1: NBT_SERVER_TIMESERV<br>
1: NBT_SERVER_CLOSEST<br>
1: NBT_SERVER_WRITABLE<br>
0: NBT_SERVER_GOOD_TIMESERV<br>
0: NBT_SERVER_NDNC<br>
0: NBT_SERVER_SELECT_SECRET_<u></u>DOMAIN_6<br>
1: NBT_SERVER_FULL_SECRET_DOMAIN_<u></u>6<br>
1: NBT_SERVER_ADS_WEB_SERVICE<br>
0: NBT_SERVER_HAS_DNS_NAME<br>
0: NBT_SERVER_IS_DEFAULT_NC<br>
0: NBT_SERVER_FOREST_ROOT<br>
domain_uuid : 6aac190b-04eb-464f-bdcc-<u></u>b07e27e2d1e5<br>
forest : '<a href="http://addomain.com" target="_blank">addomain.com</a>'<br>
dns_domain : '<a href="http://addomain.com" target="_blank">addomain.com</a>'<br>
pdc_dns_name : '<a href="http://ad.addomain.com" target="_blank">ad.addomain.com</a>'<br>
domain_name : 'LIBERO'<br>
pdc_name : 'ad'<br>
user_name : ''<br>
server_site : 'Default-First-Site-Name'<br>
client_site : 'Default-First-Site-Name'<br>
sockaddr_size : 0x00 (0)<br>
sockaddr: struct nbt_sockaddr<br>
sockaddr_family : 0x00000000 (0)<br>
pdc_ip : (null)<br>
remaining : DATA_BLOB length=0<br>
next_closest_site : NULL<br>
nt_version : 0x00000005 (5)<br>
1: NETLOGON_NT_VERSION_1<br>
0: NETLOGON_NT_VERSION_5<br>
1: NETLOGON_NT_VERSION_5EX<br>
0: NETLOGON_NT_VERSION_5EX_WITH_<u></u>IP<br>
0: NETLOGON_NT_VERSION_WITH_<u></u>CLOSEST_SITE<br>
0: NETLOGON_NT_VERSION_AVOID_<u></u>NT4EMUL<br>
0: NETLOGON_NT_VERSION_PDC<br>
0: NETLOGON_NT_VERSION_IP<br>
0: NETLOGON_NT_VERSION_LOCAL<br>
0: NETLOGON_NT_VERSION_GC<br>
lmnt_token : 0xffff (65535)<br>
lm20_token : 0xffff (65535)<br>
finddcs: Found matching DC 192.168.12.236 with server_type=0x000031fd<br>
Using binding ncacn_np:<a href="http://ad.addomain.com" target="_blank">ad.addomain.com</a>[,]<br>
s4_tevent: Added timed event "dcerpc_connect_timeout_<u></u>handler":<br>
0x7fed9c4d4b90<br>
s4_tevent: Added timed event "composite_trigger": 0x7fed9c4d5180<br>
s4_tevent: Added timed event "composite_trigger": 0x7fed9c4d54b0<br>
s4_tevent: Running timer event 0x7fed9c4d5180 "composite_trigger"<br>
s4_tevent: Destroying timer event 0x7fed9c4d54b0 "composite_trigger"<br>
Mapped to DCERPC endpoint \pipe\lsarpc<br>
added interface docker0 ip=172.17.42.1 bcast=172.17.255.255<br>
netmask=255.255.0.0<br>
added interface ens192 ip=192.168.12.27 bcast=192.168.12.255<br>
netmask=255.255.255.0<br>
added interface docker0 ip=172.17.42.1 bcast=172.17.255.255<br>
netmask=255.255.0.0<br>
added interface ens192 ip=192.168.12.27 bcast=192.168.12.255<br>
netmask=255.255.255.0<br>
s4_tevent: Ending timer event 0x7fed9c4d5180 "composite_trigger"<br>
s4_tevent: Added timed event "connect_multi_timer": 0x7fed9c4d8b90<br>
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fed9c4d5180<br>
s4_tevent: Run immediate event "tevent_req_trigger": 0x7fed9c4d5180<br>
s4_tevent: Destroying timer event 0x7fed9c4d8b90 "connect_multi_timer"<br>
Socket options:<br>
SO_KEEPALIVE = 0<br>
SO_REUSEADDR = 0<br>
SO_BROADCAST = 0<br>
TCP_NODELAY = 1<br>
TCP_KEEPCNT = 9<br>
TCP_KEEPIDLE = 7200<br>
TCP_KEEPINTVL = 75<br>
IPTOS_LOWDELAY = 0<br>
IPTOS_THROUGHPUT = 0<br>
SO_REUSEPORT = 0<br>
SO_SNDBUF = 23080<br>
SO_RCVBUF = 87380<br>
SO_SNDLOWAT = 1<br>
SO_RCVLOWAT = 1<br>
SO_SNDTIMEO = 0<br>
SO_RCVTIMEO = 0<br>
TCP_QUICKACK = 1<br>
TCP_DEFER_ACCEPT = 0<br>
s4_tevent: Added timed event "tevent_req_timedout": 0x7fed9c4dbfe0<br>
s4_tevent: Schedule immediate event "tevent_queue_immediate_<u></u>trigger":<br>
0x7fed9c4d8b90<br>
s4_tevent: Run immediate event "tevent_queue_immediate_<u></u>trigger":<br>
0x7fed9c4d8b90<br>
s4_tevent: Destroying timer event 0x7fed9c4dbfe0 "tevent_req_timedout"<br>
Starting GENSEC mechanism spnego<br>
Starting GENSEC submechanism gssapi_krb5<br>
Ticket in credentials cache for @IPDOMAIN will expire in 86400 secs<br>
GSS client Update(krb5)(1) Update failed: Unspecified GSS failure. Minor<br>
code may provide more information: KDC policy rejects request<br>
</blockquote></div></div>
This means your trust is not working. How did you established trust?<br>
Show exact commands.<br>
<br>
"KDC policy rejects request" means AD DC was unable to complete trust<br>
validation. Usually it means it was unable to talk back to IPA master<br>
which it discovers via SRV records over DNS.<span class=""><font color="#888888"><br>
-- <br>
/ Alexander Bokovoy<br>
</font></span></blockquote></div><br></div><div class="gmail_extra"><br></div><div class="gmail_extra">Hi,</div><div class="gmail_extra"><br></div><div class="gmail_extra">When i add the turs return this.</div><div class="gmail_extra"><br></div><div class="gmail_extra"><div>[root@ipa01 ~]# ipa trust-add --type=ad --admin admin --password</div><div>Realm name: <a href="http://addomain.com">addomain.com</a></div><div>Active directory domain administrator's password:</div><div>-------------------------------------------</div><div>Re-established trust to domain "<a href="http://ADDOMAIN.COM">ADDOMAIN.COM</a>"</div><div>-------------------------------------------</div><div> Realm name: <a href="http://ADDOMAIN.COM">ADDOMAIN.COM</a></div><div> Domain NetBIOS name: ADDOMAIN</div><div> Domain Security Identifier: S-1-5-21-1343024091-2000478354-725345543</div><div> SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15,</div><div> S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20</div><div> SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15,</div><div> S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20</div><div> Trust direction: Two-way trust</div><div> Trust type: Active Directory domain</div><div> Trust status: Established and verified</div></div></div>