<div dir="ltr"><div><div>Now all is ok :) # ipa trust-add --type=ad <a href="http://mydomain.com">mydomain.com</a> --admin Administrator --password Active Directory domain administrator's password: ------------------------------------------------------- Added Active Directory trust for realm "<a href="http://mydomain.com">mydomain.com</a>" ------------------------------------------------------- Realm name: <a href="http://mydomain.com">mydomain.com</a> Domain NetBIOS name: MYDOMAIN Domain Security Identifier: S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx SID blacklist incoming: S-x-x-xx, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x, S-x-x, S-x-x, S-x-x, S-x-x-xx, S-x-x-xx SID blacklist outgoing: S-x-x-xx, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x, S-x-x, S-x-x, S-x-x, S-x-x-xx, S-x-x-xx Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified </div>Thanks for your support. </div>Morgan </div><div class="gmail_extra"> <div class="gmail_quote">2015-09-09 18:53 GMT+02:00 Alexander Bokovoy <<a href="mailto:abokovoy@redhat.com" target="_blank">abokovoy@redhat.com</a>>: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Wed, 09 Sep 2015, Morgan Marodin wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Hi Alexander IPv6 stack is disabled on my RHEL like distro, v 7 x64, but is enable on my WIndows 2012. I have read in a freeipa article to disable IPv6. </blockquote> Sorry, and why you did decide to disable IPv6 stack? FreeIPA article explicitly talks about not disabling IPv6. Samba and FreeIPA LDAP code require working IPv6 stack on the machine. You can have a system without IPv6 addresses but do not disable the infrastructure. All contemporary networking applications are written with the idea that you can use IPv6-only functions and work on both IPv4 and IPv6 at the same time. See ipv6(7) manual page: ---- IPv4 connections can be handled with the v6 API by using the v4-mapped-on-v6 address type; thus a program needs to support only this API type to support both protocols. This is handled transparently by the address handling functions in the C library. IPv4 and IPv6 share the local port space. When you get an IPv4 connection or packet to a IPv6 socket, its source address will be mapped to v6 and it will be mapped to v6. ----<div class="HOEnZb"><div class="h5"> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> I've 2 Domain Controller with Windows Server 2012 and (at this time) one new freeipa server, just installed, in the same network. AD REALM is <a href="http://MYDOMAIN.COM" rel="noreferrer" target="_blank">MYDOMAIN.COM</a> and IPA REALM is <a href="http://IPA.MYDOMAIN.COM" rel="noreferrer" target="_blank">IPA.MYDOMAIN.COM</a>. I've installed bind in IPA that contains only <a href="http://ipa.mydomain.com" rel="noreferrer" target="_blank">ipa.mydomain.com</a> zone. In AD servers is configured <a href="http://mydomain.com" rel="noreferrer" target="_blank">mydomain.com</a> zone, with <a href="http://ipa.mydomain.com" rel="noreferrer" target="_blank">ipa.mydomain.com</a> delegation to linux server (192.168.0.65). </blockquote> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Do you have other question of my setup? Let me know, thanks. Morgan 2015-09-09 16:01 GMT+02:00 Alexander Bokovoy <<a href="mailto:abokovoy@redhat.com" target="_blank">abokovoy@redhat.com</a>>: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> On Wed, 09 Sep 2015, Morgan Marodin wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Hi Alexander. Ok, after enabling debugging I have these logs: ------------------------------------------------------------------- ==> /var/log/httpd/error_log <== INFO: Current debug levels: all: 100 tdb: 100 printdrivers: 100 lanman: 100 smb: 100 rpc_parse: 100 rpc_srv: 100 rpc_cli: 100 passdb: 100 sam: 100 auth: 100 winbind: 100 vfs: 100 idmap: 100 quota: 100 acls: 100 locking: 100 msdfs: 100 dmapi: 100 registry: 100 scavenger: 100 dns: 100 ldb: 100 pm_process() returned Yes GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'sasl-DIGEST-MD5' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered Using binding ncacn_np:<a href="http://srv01.ipa.mydomain.com" rel="noreferrer" target="_blank">srv01.ipa.mydomain.com</a>[,] s4_tevent: Added timed event "dcerpc_connect_timeout_handler": 0x7f8a3c224990 s4_tevent: Added timed event "composite_trigger": 0x7f8a3c042170 s4_tevent: Added timed event "composite_trigger": 0x7f8a3c25b4a0 s4_tevent: Running timer event 0x7f8a3c042170 "composite_trigger" s4_tevent: Destroying timer event 0x7f8a3c25b4a0 "composite_trigger" Mapped to DCERPC endpoint \pipe\lsarpc added interface eth0 ip=192.168.0.65 bcast=192.168.0.255 netmask=255.255.255.0 added interface eth0 ip=192.168.0.65 bcast=192.168.0.255 netmask=255.255.255.0 </blockquote> Do you have IPv6 stack enabled? [2015/09/09 08:45:<a href="tel:05.032211" value="+3905032211" target="_blank">05.032211</a>, 50, pid=11196, effective(0, 0), real(0, 0)] <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> ../lib/util/tevent_debug.c:63(samba_tevent_debug) s3_tevent: Schedule immediate event "tevent_req_trigger": 0x7f7118a92cf0 [2015/09/09 08:45:<a href="tel:05.032282" value="+3905032282" target="_blank">05.032282</a>, 50, pid=11196, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) s3_tevent: Run immediate event "tevent_req_trigger": 0x7f7118a92cf0 [2015/09/09 08:45:<a href="tel:05.032353" value="+3905032353" target="_blank">05.032353</a>, 4, pid=11196, effective(217400000, 217400000), real(217400000, 0)] ../source3/smbd/sec_ctx.c:424(pop_sec_ctx) pop_sec_ctx (217400000, 217400000) - sec_ctx_stack_ndx = 0 [2015/09/09 08:45:<a href="tel:05.032421" value="+3905032421" target="_blank">05.032421</a>, 2, pid=11196, effective(217400000, 217400000), real(217400000, 0), class=rpc_srv] ../source3/rpc_server/rpc_ncacn_np.c:630(make_external_rpc_pipe_p) tstream_npa_connect_recv to /run/samba/ncalrpc/np for pipe lsarpc and user IPA\admin failed: No such file or directory </blockquote> I'm particularly worrying about his one -- /run/samba/ncalrpc/np pipe has to be there. Can you explain what is your setup in detail? -- / Alexander Bokovoy </blockquote> -- Morgan Marodin email: <a href="mailto:morgan@marodin.it" target="_blank">morgan@marodin.it</a> mobile: <a href="tel:%2B39.3477829069" value="+393477829069" target="_blank">+39.3477829069</a> </blockquote> </div></div> -- / Alexander Bokovoy </blockquote></div> -- <div class="gmail_signature">Morgan Marodin email: <a href="mailto:morgan@marodin.it" target="_blank">morgan@marodin.it</a> mobile: +39.3477829069 </div> </div>