<div dir="ltr"><div> </div><div class="gmail_extra"> <div class="gmail_quote">2015-02-27 11:36 GMT+02:00 Alexander Bokovoy <<a href="mailto:abokovoy@redhat.com" target="_blank">abokovoy@redhat.com</a>>: <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div class=""><div class="h5">On Fri, 27 Feb 2015, mete bilgin wrote: <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> 2015-02-27 11:05 GMT+02:00 Martin Kosek <<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a>>: <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> On 02/27/2015 10:01 AM, mete bilgin wrote: <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> 2015-02-27 10:45 GMT+02:00 Martin Kosek <<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a> <mailto:<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a>>>: On 02/27/2015 09:39 AM, mete bilgin wrote: 2015-02-27 10:33 GMT+02:00 Martin Kosek <<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a> <mailto:<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a>> <mailto:<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a> <mailto:<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a>>>>: On 02/27/2015 09:30 AM, mete bilgin wrote: Hello, I'm trying to install ipa-server with trust (Win 2008R2). trustdomain-find will work but when i try to trust-fetch-domains "ipa: ERROR: AD domain controller complains about communication sequence. It may mean unsynchronized time on both sides, for example" return. Force to reinstall adtrust. Have any idea where is the problem? You probably done that, but did you indeed verify that the time on both your IPA server and AD are the same? <a href="http://www.freeipa.org/page/____Howto/IPAv3_AD_trust_setup#_" target="_blank">http://www.freeipa.org/page/____Howto/IPAv3_AD_trust_setup#_</a> ___Date.2Ftime_settings <<a href="http://www.freeipa.org/page/__Howto/IPAv3_AD_trust_setup#__" target="_blank">http://www.freeipa.org/page/__Howto/IPAv3_AD_trust_setup#__</a> Date.2Ftime_settings> <<a href="http://www.freeipa.org/page/__Howto/IPAv3_AD_trust_setup#__" target="_blank">http://www.freeipa.org/page/__Howto/IPAv3_AD_trust_setup#__</a> Date.2Ftime_settings <<a href="http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#" target="_blank">http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#</a> Date.2Ftime_settings>> Martin Yes i did that. [root@ipa01 log]# ntpdate -u 27 Feb 10:37:00 ntpdate[11281]: adjust time server 192.168.12.239 offset -0.016979 sec By the way, #wbinfo --online-status BUILTIN : online ipadomain: online addomain : offline Right. Did you also check the actual AD? Especially when AD is in a VM, or of if for example it's time zone is wrong, the UTC time may not match. Martin On AD time zone (UTC+02:00) Istanbul and the same time with ipa server. </blockquote> Ok, thanks. It was worth a try. If this is the case, I think you will simply need to follow our guide for debugging Trusts and send us the logs: <a href="http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Debugging_trust" target="_blank">http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Debugging_trust</a> Thanks, Martin </blockquote> Hi, I open debug and try to understand but, i can not :( Here the logs. Thank a lot. Error_log [Fri Feb 27 11:08:48.<a href="tel:740996%202015" value="+17409962015" target="_blank">740996 2015</a>] [:error] [pid 5367] ipa: INFO: <a href="mailto:admin@IPDOMAIN.COM" target="_blank">admin@IPDOMAIN.COM</a>: ping(version=u'2.51'): SUCCESS lpcfg_load: refreshing parameters from /usr/share/ipa/smb.conf.empty params.c:pm_process() - Processing configuration file "/usr/share/ipa/smb.conf.empty" Processing section "[global]" INFO: Current debug levels: all: 100 tdb: 100 printdrivers: 100 lanman: 100 smb: 100 rpc_parse: 100 rpc_srv: 100 rpc_cli: 100 passdb: 100 sam: 100 auth: 100 winbind: 100 vfs: 100 idmap: 100 quota: 100 acls: 100 locking: 100 msdfs: 100 dmapi: 100 registry: 100 scavenger: 100 dns: 100 ldb: 100 pm_process() returned Yes Using binding ncacn_np:<a href="http://ipa01.IPDOMAIN.com" target="_blank">ipa01.IPDOMAIN.com</a>[,] s4_tevent: Added timed event "dcerpc_connect_timeout_handler": 0x7fed9c334520 s4_tevent: Added timed event "composite_trigger": 0x7fed9c3ec530 s4_tevent: Added timed event "composite_trigger": 0x7fed9c2f6310 s4_tevent: Running timer event 0x7fed9c3ec530 "composite_trigger" s4_tevent: Destroying timer event 0x7fed9c2f6310 "composite_trigger" Mapped to DCERPC endpoint \pipe\lsarpc added interface docker0 ip=172.17.42.1 bcast=172.17.255.255 netmask=255.255.0.0 added interface ens192 ip=192.168.12.27 bcast=192.168.12.255 netmask=255.255.255.0 added interface docker0 ip=172.17.42.1 bcast=172.17.255.255 netmask=255.255.0.0 added interface ens192 ip=192.168.12.27 bcast=192.168.12.255 netmask=255.255.255.0 s4_tevent: Ending timer event 0x7fed9c3ec530 "composite_trigger" s4_tevent: Added timed event "connect_multi_timer": 0x7fed9c4cb560 s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fed9c4cb0b0 s4_tevent: Run immediate event "tevent_req_trigger": 0x7fed9c4cb0b0 s4_tevent: Destroying timer event 0x7fed9c4cb560 "connect_multi_timer" Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 0 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_REUSEPORT = 0 SO_SNDBUF = 663430 SO_RCVBUF = 261942 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 TCP_DEFER_ACCEPT = 0 s4_tevent: Added timed event "tevent_req_timedout": 0x7fed9c4caa80 s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7fed9c4cb560 s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7fed9c4cb560 s4_tevent: Destroying timer event 0x7fed9c4caa80 "tevent_req_timedout" Starting GENSEC mechanism spnego Starting GENSEC submechanism gssapi_krb5 Ticket in credentials cache for @IPDOMAIN will expire in 80256 secs s4_tevent: Added timed event "tevent_req_timedout": 0x7fed9c4d0960 s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7fed9c4cb560 s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7fed9c4cb560 s4_tevent: Destroying timer event 0x7fed9c4d0960 "tevent_req_timedout" gensec_gssapi: NO credentials were delegated GSSAPI Connection will be cryptographically sealed s4_tevent: Added timed event "tevent_req_timedout": 0x7fed9c4d0360 s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7fed9c4cb560 s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7fed9c4cb560 s4_tevent: Destroying timer event 0x7fed9c4d0360 "tevent_req_timedout" s4_tevent: Added timed event "tevent_req_timedout": 0x7fed9c4cf550 s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7fed9c4cb560 s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7fed9c4cb560 s4_tevent: Destroying timer event 0x7fed9c4cf550 "tevent_req_timedout" num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=72, this_data=72, max_data=65535, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0 s4_tevent: Added timed event "tevent_req_timedout": 0x7fed9c4d9a30 s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7fed9c4cb560 s4_tevent: Added timed event "dcerpc_timeout_handler": 0x7fed9c4d9df0 s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7fed9c4cb560 s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fed9c4d9640 s4_tevent: Run immediate event "tevent_req_trigger": 0x7fed9c4d9640 s4_tevent: Destroying timer event 0x7fed9c4d9a30 "tevent_req_timedout" s4_tevent: Destroying timer event 0x7fed9c4d9df0 "dcerpc_timeout_handler" s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fed9c3ec8a0 s4_tevent: Run immediate event "tevent_req_trigger": 0x7fed9c3ec8a0 s4_tevent: Destroying timer event 0x7fed9c334520 "dcerpc_connect_timeout_handler" lsa_OpenPolicy2: struct lsa_OpenPolicy2 in: struct lsa_OpenPolicy2 system_name : * system_name : '' attr : * attr: struct lsa_ObjectAttribute len : 0x00000000 (0) root_dir : NULL object_name : NULL attributes : 0x00000000 (0) sec_desc : NULL sec_qos : * sec_qos: struct lsa_QosInfo len : 0x00000000 (0) impersonation_level : 0x0000 (0) context_mode : 0x00 (0) effective_only : 0x00 (0) access_mask : 0x02000000 (33554432) 0: LSA_POLICY_VIEW_LOCAL_INFORMATION 0: LSA_POLICY_VIEW_AUDIT_INFORMATION 0: LSA_POLICY_GET_PRIVATE_INFORMATION 0: LSA_POLICY_TRUST_ADMIN 0: LSA_POLICY_CREATE_ACCOUNT 0: LSA_POLICY_CREATE_SECRET 0: LSA_POLICY_CREATE_PRIVILEGE 0: LSA_POLICY_SET_DEFAULT_QUOTA_LIMITS 0: LSA_POLICY_SET_AUDIT_REQUIREMENTS 0: LSA_POLICY_AUDIT_LOG_ADMIN 0: LSA_POLICY_SERVER_ADMIN 0: LSA_POLICY_LOOKUP_NAMES 0: LSA_POLICY_NOTIFICATION rpc request data: [0000] 00 00 02 00 01 00 00 00 00 00 00 00 01 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0020] 00 00 00 00 00 00 00 00 04 00 02 00 00 00 00 00 ........ ........ [0030] 00 00 00 00 00 00 00 02 ........ s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fed9c2f22c0 s4_tevent: Added timed event "dcerpc_timeout_handler": 0x7fed9c4d0be0 s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fed9c2f22c0 s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fed9c2f22c0 num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=80, this_data=80, max_data=4280, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0 s4_tevent: Added timed event "tevent_req_timedout": 0x7fed9c4d9d00 s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7fed9c4cb560 s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fed9c2f22c0 s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7fed9c4cb560 s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fed9c4d9910 s4_tevent: Run immediate event "tevent_req_trigger": 0x7fed9c4d9910 s4_tevent: Destroying timer event 0x7fed9c4d9d00 "tevent_req_timedout" s4_tevent: Destroying timer event 0x7fed9c4d0be0 "dcerpc_timeout_handler" s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fed9c3ec8a0 s4_tevent: Run immediate event "tevent_req_trigger": 0x7fed9c3ec8a0 lsa_OpenPolicy2: struct lsa_OpenPolicy2 out: struct lsa_OpenPolicy2 handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000014-0000-0000-f054-20348a2a0000 result : NT_STATUS_OK rpc reply data: [0000] 00 00 00 00 14 00 00 00 00 00 00 00 F0 54 20 34 ........ .....T 4 [0010] 8A 2A 00 00 00 00 00 00 .*...... lsa_QueryInfoPolicy2: struct lsa_QueryInfoPolicy2 in: struct lsa_QueryInfoPolicy2 handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000014-0000-0000-f054-20348a2a0000 level : LSA_POLICY_INFO_DNS (12) rpc request data: [0000] 00 00 00 00 14 00 00 00 00 00 00 00 F0 54 20 34 ........ .....T 4 [0010] 8A 2A 00 00 0C 00 .*.... s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fed9c2f22c0 s4_tevent: Added timed event "dcerpc_timeout_handler": 0x7fed9c3ec350 s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fed9c2f22c0 s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fed9c2f22c0 num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=46, this_data=46, max_data=4280, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0 s4_tevent: Added timed event "tevent_req_timedout": 0x7fed9c4d9ec0 s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7fed9c4cb560 s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fed9c2f22c0 s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7fed9c4cb560 s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fed9c4d9af0 s4_tevent: Run immediate event "tevent_req_trigger": 0x7fed9c4d9af0 s4_tevent: Destroying timer event 0x7fed9c4d9ec0 "tevent_req_timedout" s4_tevent: Destroying timer event 0x7fed9c3ec350 "dcerpc_timeout_handler" s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fed9c4d0ad0 s4_tevent: Run immediate event "tevent_req_trigger": 0x7fed9c4d0ad0 lsa_QueryInfoPolicy2: struct lsa_QueryInfoPolicy2 out: struct lsa_QueryInfoPolicy2 info : * info : * info : union lsa_PolicyInformation(case 12) dns: struct lsa_DnsDomainInfo name: struct lsa_StringLarge length : 0x0010 (16) size : 0x0012 (18) string : * string : 'IPDOMAIN' dns_domain: struct lsa_StringLarge length : 0x0018 (24) size : 0x001a (26) string : * string : 'IPDOMAIN.com' dns_forest: struct lsa_StringLarge length : 0x0018 (24) size : 0x001a (26) string : * string : 'IPDOMAIN.com' domain_guid : 00000015-e851-c207-0dd0-a20419e2e2c7 sid : * sid : S-1-5-21-3255298129-77778957-3353535001 result : NT_STATUS_OK rpc reply data: [0000] 00 00 02 00 0C 00 00 00 10 00 12 00 04 00 02 00 ........ ........ [0010] 18 00 1A 00 08 00 02 00 18 00 1A 00 0C 00 02 00 ........ ........ [0020] 15 00 00 00 51 E8 07 C2 0D D0 A2 04 19 E2 E2 C7 ....Q... ........ [0030] 10 00 02 00 09 00 00 00 00 00 00 00 08 00 00 00 ........ ........ [0040] 42 00 49 00 4C 00 59 00 4F 00 4E 00 45 00 52 00 B.I.L.Y. O.N.E.R. [0050] 0D 00 00 00 00 00 00 00 0C 00 00 00 62 00 69 00 ........ ....b.i. [0060] 6C 00 79 00 6F 00 6E 00 65 00 72 00 2E 00 63 00 l.y.o.n. e.r...c. [0070] 6F 00 6D 00 0D 00 00 00 00 00 00 00 0C 00 00 00 o.m..... ........ [0080] 62 00 69 00 6C 00 79 00 6F 00 6E 00 65 00 72 00 b.i.l.y. o.n.e.r. [0090] 2E 00 63 00 6F 00 6D 00 04 00 00 00 01 04 00 00 ..c.o.m. ........ [00A0] 00 00 00 05 15 00 00 00 51 E8 07 C2 0D D0 A2 04 ........ Q....... [00B0] 19 E2 E2 C7 00 00 00 00 ........ lsa_QueryInfoPolicy2: struct lsa_QueryInfoPolicy2 in: struct lsa_QueryInfoPolicy2 handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000014-0000-0000-f054-20348a2a0000 level : LSA_POLICY_INFO_ROLE (6) rpc request data: [0000] 00 00 00 00 14 00 00 00 00 00 00 00 F0 54 20 34 ........ .....T 4 [0010] 8A 2A 00 00 06 00 .*.... s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fed9c2f22c0 s4_tevent: Added timed event "dcerpc_timeout_handler": 0x7fed9c4d0f90 s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fed9c2f22c0 s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fed9c2f22c0 num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=46, this_data=46, max_data=4280, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0 s4_tevent: Added timed event "tevent_req_timedout": 0x7fed9c4da450 s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7fed9c4cb560 s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fed9c2f22c0 s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7fed9c4cb560 s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fed9c4d9fe0 s4_tevent: Run immediate event "tevent_req_trigger": 0x7fed9c4d9fe0 s4_tevent: Destroying timer event 0x7fed9c4da450 "tevent_req_timedout" s4_tevent: Destroying timer event 0x7fed9c4d0f90 "dcerpc_timeout_handler" s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fed9c3ec3e0 s4_tevent: Run immediate event "tevent_req_trigger": 0x7fed9c3ec3e0 lsa_QueryInfoPolicy2: struct lsa_QueryInfoPolicy2 out: struct lsa_QueryInfoPolicy2 info : * info : * info : union lsa_PolicyInformation(case 6) role: struct lsa_ServerRole role : LSA_ROLE_PRIMARY (3) result : NT_STATUS_OK rpc reply data: [0000] 00 00 02 00 06 00 00 00 03 00 00 00 00 00 00 00 ........ ........ lpcfg_load: refreshing parameters from /usr/share/ipa/smb.conf.empty params.c:pm_process() - Processing configuration file "/usr/share/ipa/smb.conf.empty" Processing section "[global]" INFO: Current debug levels: all: 100 tdb: 100 printdrivers: 100 lanman: 100 smb: 100 rpc_parse: 100 rpc_srv: 100 rpc_cli: 100 passdb: 100 sam: 100 auth: 100 winbind: 100 vfs: 100 idmap: 100 quota: 100 acls: 100 locking: 100 msdfs: 100 dmapi: 100 registry: 100 scavenger: 100 dns: 100 ldb: 100 pm_process() returned Yes added interface docker0 ip=172.17.42.1 bcast=172.17.255.255 netmask=255.255.0.0 added interface ens192 ip=192.168.12.27 bcast=192.168.12.255 netmask=255.255.255.0 added interface docker0 ip=172.17.42.1 bcast=172.17.255.255 netmask=255.255.0.0 added interface ens192 ip=192.168.12.27 bcast=192.168.12.255 netmask=255.255.255.0 added interface docker0 ip=172.17.42.1 bcast=172.17.255.255 netmask=255.255.0.0 added interface ens192 ip=192.168.12.27 bcast=192.168.12.255 netmask=255.255.255.0 added interface docker0 ip=172.17.42.1 bcast=172.17.255.255 netmask=255.255.0.0 added interface ens192 ip=192.168.12.27 bcast=192.168.12.255 netmask=255.255.255.0 finddcs: searching for a DC by DNS domain <a href="http://addomain.com" target="_blank">addomain.com</a> finddcs: looking for SRV records for _ldap._<a href="http://tcp.addomain.com" target="_blank">tcp.addomain.com</a> ads_dns_lookup_srv: 3 records returned in the answer section. ads_dns_parse_rr_srv: Parsed <a href="http://ad.addomain.com" target="_blank">ad.addomain.com</a> [0, 100, 389] ads_dns_parse_rr_srv: Parsed <a href="http://kratos.addomain.com" target="_blank">kratos.addomain.com</a> [0, 100, 389] ads_dns_parse_rr_srv: Parsed <a href="http://beatrice.addomain.com" target="_blank">beatrice.addomain.com</a> [0, 100, 389] Addrs = 192.168.12.236@389/ad,172.16.50.70@389/kratos,192.168.12.239@389 /beatrice finddcs: DNS SRV response 0 at '192.168.12.236' finddcs: DNS SRV response 1 at '172.16.50.70' finddcs: DNS SRV response 2 at '192.168.12.239' finddcs: performing CLDAP query on 192.168.12.236 s4_tevent: Added timed event "tevent_req_timedout": 0x7fed9c4d6230 s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fed9c4d66e0 s4_tevent: Run immediate event "tevent_req_trigger": 0x7fed9c4d66e0 s4_tevent: Added timed event "tevent_req_timedout": 0x7fed9c4d69b0 s4_tevent: Destroying timer event 0x7fed9c4d69b0 "tevent_req_timedout" s4_tevent: Destroying timer event 0x7fed9c4d6230 "tevent_req_timedout" &response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX command : LOGON_SAM_LOGON_RESPONSE_EX (23) sbz : 0x0000 (0) server_type : 0x000031fd (12797) 1: NBT_SERVER_PDC 1: NBT_SERVER_GC 1: NBT_SERVER_LDAP 1: NBT_SERVER_DS 1: NBT_SERVER_KDC 1: NBT_SERVER_TIMESERV 1: NBT_SERVER_CLOSEST 1: NBT_SERVER_WRITABLE 0: NBT_SERVER_GOOD_TIMESERV 0: NBT_SERVER_NDNC 0: NBT_SERVER_SELECT_SECRET_DOMAIN_6 1: NBT_SERVER_FULL_SECRET_DOMAIN_6 1: NBT_SERVER_ADS_WEB_SERVICE 0: NBT_SERVER_HAS_DNS_NAME 0: NBT_SERVER_IS_DEFAULT_NC 0: NBT_SERVER_FOREST_ROOT domain_uuid : 6aac190b-04eb-464f-bdcc-b07e27e2d1e5 forest : '<a href="http://addomain.com" target="_blank">addomain.com</a>' dns_domain : '<a href="http://addomain.com" target="_blank">addomain.com</a>' pdc_dns_name : '<a href="http://ad.addomain.com" target="_blank">ad.addomain.com</a>' domain_name : 'LIBERO' pdc_name : 'ad' user_name : '' server_site : 'Default-First-Site-Name' client_site : 'Default-First-Site-Name' sockaddr_size : 0x00 (0) sockaddr: struct nbt_sockaddr sockaddr_family : 0x00000000 (0) pdc_ip : (null) remaining : DATA_BLOB length=0 next_closest_site : NULL nt_version : 0x00000005 (5) 1: NETLOGON_NT_VERSION_1 0: NETLOGON_NT_VERSION_5 1: NETLOGON_NT_VERSION_5EX 0: NETLOGON_NT_VERSION_5EX_WITH_IP 0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE 0: NETLOGON_NT_VERSION_AVOID_NT4EMUL 0: NETLOGON_NT_VERSION_PDC 0: NETLOGON_NT_VERSION_IP 0: NETLOGON_NT_VERSION_LOCAL 0: NETLOGON_NT_VERSION_GC lmnt_token : 0xffff (65535) lm20_token : 0xffff (65535) finddcs: Found matching DC 192.168.12.236 with server_type=0x000031fd Using binding ncacn_np:<a href="http://ad.addomain.com" target="_blank">ad.addomain.com</a>[,] s4_tevent: Added timed event "dcerpc_connect_timeout_handler": 0x7fed9c4d4b90 s4_tevent: Added timed event "composite_trigger": 0x7fed9c4d5180 s4_tevent: Added timed event "composite_trigger": 0x7fed9c4d54b0 s4_tevent: Running timer event 0x7fed9c4d5180 "composite_trigger" s4_tevent: Destroying timer event 0x7fed9c4d54b0 "composite_trigger" Mapped to DCERPC endpoint \pipe\lsarpc added interface docker0 ip=172.17.42.1 bcast=172.17.255.255 netmask=255.255.0.0 added interface ens192 ip=192.168.12.27 bcast=192.168.12.255 netmask=255.255.255.0 added interface docker0 ip=172.17.42.1 bcast=172.17.255.255 netmask=255.255.0.0 added interface ens192 ip=192.168.12.27 bcast=192.168.12.255 netmask=255.255.255.0 s4_tevent: Ending timer event 0x7fed9c4d5180 "composite_trigger" s4_tevent: Added timed event "connect_multi_timer": 0x7fed9c4d8b90 s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fed9c4d5180 s4_tevent: Run immediate event "tevent_req_trigger": 0x7fed9c4d5180 s4_tevent: Destroying timer event 0x7fed9c4d8b90 "connect_multi_timer" Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 0 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_REUSEPORT = 0 SO_SNDBUF = 23080 SO_RCVBUF = 87380 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 TCP_DEFER_ACCEPT = 0 s4_tevent: Added timed event "tevent_req_timedout": 0x7fed9c4dbfe0 s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7fed9c4d8b90 s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7fed9c4d8b90 s4_tevent: Destroying timer event 0x7fed9c4dbfe0 "tevent_req_timedout" Starting GENSEC mechanism spnego Starting GENSEC submechanism gssapi_krb5 Ticket in credentials cache for @IPDOMAIN will expire in 86400 secs GSS client Update(krb5)(1) Update failed: Unspecified GSS failure. Minor code may provide more information: KDC policy rejects request </blockquote></div></div> This means your trust is not working. How did you established trust? Show exact commands. "KDC policy rejects request" means AD DC was unable to complete trust validation. Usually it means it was unable to talk back to IPA master which it discovers via SRV records over DNS. -- / Alexander Bokovoy </blockquote></div> </div><div class="gmail_extra"> </div><div class="gmail_extra">Hi,</div><div class="gmail_extra"> </div><div class="gmail_extra">When i add the turs return this.</div><div class="gmail_extra"> </div><div class="gmail_extra"><div>[root@ipa01 ~]# ipa trust-add --type=ad --admin admin --password</div><div>Realm name: <a href="http://addomain.com">addomain.com</a></div><div>Active directory domain administrator's password:</div><div>-------------------------------------------</div><div>Re-established trust to domain "<a href="http://ADDOMAIN.COM">ADDOMAIN.COM</a>"</div><div>-------------------------------------------</div><div> Realm name: <a href="http://ADDOMAIN.COM">ADDOMAIN.COM</a></div><div> Domain NetBIOS name: ADDOMAIN</div><div> Domain Security Identifier: S-1-5-21-1343024091-2000478354-725345543</div><div> SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15,</div><div> S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20</div><div> SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15,</div><div> S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20</div><div> Trust direction: Two-way trust</div><div> Trust type: Active Directory domain</div><div> Trust status: Established and verified</div></div></div>