<div dir="ltr">I've solved this error, reading this forum:<br><div><a href="https://www.redhat.com/archives/freeipa-users/2015-July/msg00247.html">https://www.redhat.com/archives/freeipa-users/2015-July/msg00247.html</a><br><div><br></div><div>But now when I try to trust to my Active Directory I see these errors:<br>--------------------<br># ipa trust-add --type=ad <a href="http://mydomain.com">mydomain.com</a> --admin Administrator --password<br>Active Directory domain administrator's password:<br>ipa: ERROR: CIFS server communication error: code "-1073741258",<br>                  message "The connection was refused" (both may be "None")<br></div><div><br></div><div>Here my logs:<br>--------------------<br>==> /var/log/httpd/error_log <==<br>Failed to connect host 192.168.0.65 on port 135 - NT_STATUS_CONNECTION_REFUSED<br>Failed to connect host 192.168.0.65 (<a href="http://srv01.ipa.mydomain.com">srv01.ipa.mydomain.com</a>) on port 135 - NT_STATUS_CONNECTION_REFUSED.<br>[Tue Sep 08 15:01:50.859313 2015] [:error] [pid 2221] ipa: INFO: [jsonserver_kerb] <a href="mailto:admin@IPA.MYDOMAIN.COM">admin@IPA.MYDOMAIN.COM</a>: trust_add(u'<a href="http://mydomain.com">mydomain.com</a>', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', all=False, raw=False, version=u'2.112'): RemoteRetrieveError<br><br>==> /var/log/samba/log.192.168.0.65 <==<br>[2015/09/08 15:01:50.833128,  1] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)<br>  Username IPA\admin is invalid on this system<br>[2015/09/08 15:01:50.833200,  1] ../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac)<br>  Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)<br>[2015/09/08 15:01:50.833236,  1] ../source3/smbd/sesssetup.c:276(reply_sesssetup_and_X_spnego)<br>  Failed to generate session_info (user and group token) for session setup: NT_STATUS_ACCESS_DENIED<br>[2015/09/08 15:01:50.852169,  1] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)<br>  Username IPA\admin is invalid on this system<br>[2015/09/08 15:01:50.852222,  1] ../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac)<br>  Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)<br>[2015/09/08 15:01:50.852256,  1] ../source3/smbd/sesssetup.c:276(reply_sesssetup_and_X_spnego)<br>  Failed to generate session_info (user and group token) for session setup: NT_STATUS_ACCESS_DENIED<br>--------------------<br><br></div><div>I don't see any 135 TCP listening port, doing tcpdump I see that it tryes to do a connection in its 135 port.<br></div><div>What am I missing?<br></div><div><br></div><div>Thanks, Morgan<br></div><div><div class="gmail_extra"><br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><br><table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr><th align="right" nowrap valign="baseline">Subject:</th>
<td>[Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER</td>
</tr>
<tr><th align="right" nowrap valign="baseline">Date:</th>
<td>Tue, 08 Sep 2015 11:00:49 +0200</td>
</tr>
<tr><th align="right" nowrap valign="baseline"><br></th>
<td><br></td>
</tr>
<tr><th align="right" nowrap valign="baseline">To:</th>
<td><<a href="mailto:freeipa-users@redhat.com" target="_blank">freeipa-users@redhat.com</a>></td>
</tr>
</tbody>
</table>
<br>Hi everyone.<br><br>I've a problem with my new freeipa installation, v4.1.0, over RHEL 7 like distribution.<br><br>The installation was ok, but now I've some problems operating via CLI:<br># ipa user-show admin<br>ipa: ERROR: cert validation failed for "CN=<a href="http://srv01.ipa.mydomain.com" target="_blank">srv01.ipa.mydomain.com</a>,O=<a href="http://IPA.MYDOMAIN.COM" target="_blank">IPA.MYDOMAIN.COM</a>" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.)<br>ipa: ERROR: cannot connect to '<a href="https://srv01.ipa.mydomain.com/ipa/json" target="_blank">https://srv01.ipa.mydomain.com/ipa/json</a>': (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.<br><br>I've got the same problem connectiong via curl, but after doing these command for curl now it works, but not for ipa cli operations:<br>----------------------<br># certutil -A -d /etc/pki/nssdb -n 'IPA CA' -t CT,C,C -a -i /etc/ipa/ca.crt<br># certutil -L -d /etc/pki/nssdb<br>Certificate Nickname                                         Trust Attributes<br>                                                             SSL,S/MIME,JAR/XPI<br>IPA CA                                                       CT,C,C<br># cp /etc/ipa/ca.crt /etc/pki/ca-trust/source/anchors/<br># update-ca-trust extract<br>----------------------<br><br>And also this command doesn't work:<br># ipa trust-add --type=ad <a href="http://mydomain.com" target="_blank">mydomain.com</a> --admin Administrator --password<br>ipa: ERROR: cert validation failed for "CN=<a href="http://srv01.ipa.mydomain.com" target="_blank">srv01.ipa.mydomain.com</a>,O=<a href="http://IPA.MYDOMAIN.COM" target="_blank">IPA.MYDOMAIN.COM</a>" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.)<br>ipa: ERROR: cannot connect to '<a href="https://srv01.ipa.mydomain.com/ipa/json" target="_blank">https://srv01.ipa.mydomain.com/ipa/json</a>': (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.<br><br>So ... what's the problem?<br><br>Let me know, thanks.<br>Morgan<br></div></blockquote></div></div></div></div></div>