[Freeipa-devel] [PATCH] 0170 AD Trust: improve trust validation
Tomas Babej
tbabej at redhat.com
Tue Nov 25 11:24:42 UTC 2014
On 11/24/2014 02:23 PM, Alexander Bokovoy wrote:
> Hi,
>
> Trust validation requires AD DC to contact IPA server to verify that
> trust account actually works. It can fail due to DNS or firewall issue
> or if AD DC was able to resolve IPA master(s) via SRV records, it still
> may contact a replica that has no trust data replicated yet.
>
> In case AD DC still returns 'access denied', wait 5 seconds and try
> validation again. Repeat validation until we hit a limit of 10
> attempts, at which point raise exception telling what's happening.
>
> https://fedorahosted.org/freeipa/ticket/4764
>
>
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
ACK, works fine.
In the broken setup, we now correctly output:
[tbabej at vm-093 labtool]$ echo $AD_PASSWORD | ipa trust-add --type=ad
$AD_DOMAIN --admin Administrator
--password
ipa: ERROR: AD DC was unable to reach any IPA domain controller. Most
likely it is a DNS or firewall issue
Pushed to:
master: ed3dddab870563b398400b05af3d945e8fc2ec9d
ipa-4-1: 538e023107ed307142ca7302ff34106c53afa932
--
Tomas Babej
Associate Software Engineer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20141125/892bc6af/attachment.htm>
More information about the Freeipa-devel
mailing list