[Freeipa-users] Trouble verifying domain trust IPA 3.0, AD 2012

Sumit Bose sbose at redhat.com
Fri Mar 15 09:52:14 UTC 2013 

On Fri, Mar 15, 2013 at 09:38:04AM +0000, Dale Macartney wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Morning all
> 
> I have setup the domain trust set up and have errors when trying to map
> groups from AD to IPA
> 
> Environment is IPA 3.0 on RHEL 6.4 and Windows 2012
> 
> When adding groups, I get the following.
> 
> [root at ds01 ~]# ipa group-add --desc='Active Directory Domain Admins
> external map' domain_admins_map --external
> [root at ds01 ~]# ipa group-add-member domain_admins_map --external
> 'NT\Domain Admins'
> [member user]:
> [member group]:
> ipa: ERROR: cannot connect to
> u'https://ds01.example.com/ipa/session/xml': Internal Server Error
> [root at ds01 ~]#
> 
> When the above error occurs I see the following in /var/log/httpd/error_log
> 
> ==> /var/log/httpd/error_log <==
> [Fri Mar 15 09:35:15 2013] [error] ipa: ERROR: release_ipa_ccache:
> ccache_name (FILE:/var/run/ipa_memcached/krbcc_5374) != KRB5CCNAME
> environment variable (/var/run/ipa_memcached/krbcc_TDN)
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] mod_wsgi
> (pid=5374): Exception occurred processing WSGI script
> '/usr/share/ipa/wsgi.py'.
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] Traceback (most
> recent call last):
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
> "/usr/share/ipa/wsgi.py", line 49, in application
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]     return
> api.Backend.wsgi_dispatch(environ, start_response)
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
> "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 248, in
> __call__
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]     return
> self.route(environ, start_response)
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
> "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 260, in
> route
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]     return
> app(environ, start_response)
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
> "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 1193, in
> __call__
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]     response =
> super(xmlserver_session, self).__call__(environ, start_response)
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
> "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 709, in
> __call__
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]     response =
> super(xmlserver, self).__call__(environ, start_response)
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
> "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 375, in
> __call__
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]     response =
> self.wsgi_execute(environ)
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
> "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 334, in
> wsgi_execute
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]     result =
> self.Command[name](*args, **options)
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
> "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 435, in __call__
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]     ret =
> self.run(*args, **options)
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
> "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 747, in run
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]     return
> self.execute(*args, **options)
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
> "/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py", line
> 1590, in execute
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]     **options)
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
> "/usr/lib/python2.6/site-packages/ipalib/plugins/group.py", line 387, in
> post_callback
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]     actual_sid =
> domain_validator.get_sid_trusted_domain_object(sid)
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
> "/usr/lib/python2.6/site-packages/ipaserver/dcerpc.py", line 212, in
> get_sid_trusted_domain_object
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]     entry =
> self.resolve_against_gc(domain, components['name'])
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
> "/usr/lib/python2.6/site-packages/ipaserver/dcerpc.py", line 285, in
> resolve_against_gc
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]     entry =
> self.__resolve_against_gc(info, host, port, name)
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
> "/usr/lib/python2.6/site-packages/ipaserver/dcerpc.py", line 315, in
> __resolve_against_gc
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]    
> conn.sasl_interactive_bind_s(None, sasl_auth)
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
> "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", line 566,
> in sasl_interactive_bind_s
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]     return
> self.conn.sasl_interactive_bind_s(who, auth, serverctrls, clientctrls,
> sasl_flags)
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
> "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 227, in
> sasl_interactive_bind_s
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]     return
> self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,EncodeControlTuples(serverctrls),EncodeControlTuples(clientctrls),sasl_flags)
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
> "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 96, in
> _ldap_call
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]     result =
> func(*args,**kwargs)
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] LOCAL_ERROR:
> {'info': 'SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
> failure.  Minor code may provide more information (Server
> ldap/dc01.nt.example.com at EXAMPLE.COM not found in Kerberos database)',
> 'desc': 'Local error'}

Lokks like your AD domain is DNS-wise a subdomain of the FreeIPA domain
example.dom. Please try to add something like

 .nt.example.com = NT.EXAMPLE.COM
 nt.example.com = NT.EXAMPLE.COM

to the [domain_realm] section in /etc/krb5.conf. SSSD should have
created an include file with this information, but due to some errors it
is not read in the 6.4 version.

HTH

bye,
Sumit

> 
> 
> Just to clarify, iptables has been flushed and selinux is currently
> permissive. Running latest patches from RHN as of 2013/03/14
> 
> Any thoughts?
> 
> Dale
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.13 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> 
> iQIcBAEBAgAGBQJRQuv6AAoJEAJsWS61tB+qlhQP/RK9S18bpd8TnfMtxQVk1IqY
> JIj5Zfj5h3XFHiMFX2YWQW/Sl4lJogQ1q53ZF39DkCGBmm3B3c1Bj1SMM57ZjDqJ
> mW4quxr84m4hpPPd3CMPWeepJw9iLIWjrNd6Ux1CK32Otv+mHuH0MYtWSAUz+F/+
> 55h7weYKp9AdN+2kLxTlxCWlV9jSYef1yzyjw2Lr/aMihkr9z0zsyGFolDxf9H6v
> Srl9xgsZCk449UDSoJWRWb2j05dW6+ON/OURbfWgYb3qvSCrIe2feO9PRJS3sZTZ
> QFB563P1b5EOnHIQ6sNCNpLZ8i2nhelFxtu/Q4UL/xpSvzG5oJElTmsmDKlAIEht
> aYiKYfarncyHnqRhzBIGilkPKPZ8KhMNW1UElbc3rNtN4OmkAVCRM6XtSufvENH1
> +niQJJTlcyYwXOi8kuFjutFYdQQ+c2+/NpeT7eFgs1wKra6U9PK9rCBJUpFa4Ki/
> aQbSHcpJqtF22eI3qOnkvRvEdUlCiYhDSRWxVzoBJUf/PC4Oc7wpj2nj9sYbIn6M
> fAu5PcETw2khMkzKOZyiUAVxz+OJPJWZrm6Z9YZ7yHGeLeYTyhhMZjcyp6tX8U1R
> Y7LNCW4Waxich3v0F5Vu2s6UgWdKv/RPVfK+CQo5CBA7JEeHYJsIFBQQ+INEssun
> SbTm28MR28tcjyuK/gIj
> =qy05
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list