[Freeipa-users] Trouble verifying domain trust IPA 3.0, AD 2012

Fri Mar 15 09:38:04 UTC 2013

When adding groups, I get the following.

[root at ds01 ~]# ipa group-add --desc='Active Directory Domain Admins
external map' domain_admins_map --external
[root at ds01 ~]# ipa group-add-member domain_admins_map --external
'NT\Domain Admins'
[member user]:
[member group]:
ipa: ERROR: cannot connect to
u'https://ds01.example.com/ipa/session/xml': Internal Server Error
[root at ds01 ~]#

When the above error occurs I see the following in /var/log/httpd/error_log

==> /var/log/httpd/error_log <==
[Fri Mar 15 09:35:15 2013] [error] ipa: ERROR: release_ipa_ccache:
ccache_name (FILE:/var/run/ipa_memcached/krbcc_5374) != KRB5CCNAME
environment variable (/var/run/ipa_memcached/krbcc_TDN)
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] mod_wsgi
(pid=5374): Exception occurred processing WSGI script
'/usr/share/ipa/wsgi.py'.
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] Traceback (most
recent call last):
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
"/usr/share/ipa/wsgi.py", line 49, in application
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]     return
api.Backend.wsgi_dispatch(environ, start_response)
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
"/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 248, in
__call__
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]     return
self.route(environ, start_response)
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
"/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 260, in
route
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]     return
app(environ, start_response)
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
"/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 1193, in
__call__
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]     response =
super(xmlserver_session, self).__call__(environ, start_response)
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
"/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 709, in
__call__
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]     response =
super(xmlserver, self).__call__(environ, start_response)
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
"/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 375, in
__call__
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]     response =
self.wsgi_execute(environ)
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
"/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 334, in
wsgi_execute
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]     result =
self.Command[name](*args, **options)
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
"/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 435, in __call__
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]     ret =
self.run(*args, **options)
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
"/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 747, in run
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]     return
self.execute(*args, **options)
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
"/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py", line
1590, in execute
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]     **options)
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
"/usr/lib/python2.6/site-packages/ipalib/plugins/group.py", line 387, in
post_callback
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]     actual_sid =
domain_validator.get_sid_trusted_domain_object(sid)
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
"/usr/lib/python2.6/site-packages/ipaserver/dcerpc.py", line 212, in
get_sid_trusted_domain_object
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]     entry =
self.resolve_against_gc(domain, components['name'])
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
"/usr/lib/python2.6/site-packages/ipaserver/dcerpc.py", line 285, in
resolve_against_gc
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]     entry =
self.__resolve_against_gc(info, host, port, name)
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
"/usr/lib/python2.6/site-packages/ipaserver/dcerpc.py", line 315, in
__resolve_against_gc
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]    
conn.sasl_interactive_bind_s(None, sasl_auth)
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
"/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", line 566,
in sasl_interactive_bind_s
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]     return
self.conn.sasl_interactive_bind_s(who, auth, serverctrls, clientctrls,
sasl_flags)
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
"/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 227, in
sasl_interactive_bind_s
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]     return
self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,EncodeControlTuples(serverctrls),EncodeControlTuples(clientctrls),sasl_flags)
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
"/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 96, in
_ldap_call
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]     result =
func(*args,**kwargs)
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] LOCAL_ERROR:
{'info': 'SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
failure.  Minor code may provide more information (Server
ldap/dc01.nt.example.com at EXAMPLE.COM not found in Kerberos database)',
'desc': 'Local error'}

Just to clarify, iptables has been flushed and selinux is currently
permissive. Running latest patches from RHN as of 2013/03/14

Any thoughts?

Dale

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRQuv6AAoJEAJsWS61tB+qlhQP/RK9S18bpd8TnfMtxQVk1IqY
JIj5Zfj5h3XFHiMFX2YWQW/Sl4lJogQ1q53ZF39DkCGBmm3B3c1Bj1SMM57ZjDqJ
mW4quxr84m4hpPPd3CMPWeepJw9iLIWjrNd6Ux1CK32Otv+mHuH0MYtWSAUz+F/+
55h7weYKp9AdN+2kLxTlxCWlV9jSYef1yzyjw2Lr/aMihkr9z0zsyGFolDxf9H6v
Srl9xgsZCk449UDSoJWRWb2j05dW6+ON/OURbfWgYb3qvSCrIe2feO9PRJS3sZTZ
QFB563P1b5EOnHIQ6sNCNpLZ8i2nhelFxtu/Q4UL/xpSvzG5oJElTmsmDKlAIEht
aYiKYfarncyHnqRhzBIGilkPKPZ8KhMNW1UElbc3rNtN4OmkAVCRM6XtSufvENH1
+niQJJTlcyYwXOi8kuFjutFYdQQ+c2+/NpeT7eFgs1wKra6U9PK9rCBJUpFa4Ki/
aQbSHcpJqtF22eI3qOnkvRvEdUlCiYhDSRWxVzoBJUf/PC4Oc7wpj2nj9sYbIn6M
fAu5PcETw2khMkzKOZyiUAVxz+OJPJWZrm6Z9YZ7yHGeLeYTyhhMZjcyp6tX8U1R
Y7LNCW4Waxich3v0F5Vu2s6UgWdKv/RPVfK+CQo5CBA7JEeHYJsIFBQQ+INEssun
SbTm28MR28tcjyuK/gIj
=qy05
-----END PGP SIGNATURE-----