[Freeipa-users] Trouble verifying domain trust IPA 3.0, AD 2012

Fri Mar 15 10:03:57 UTC 2013

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 03/15/2013 09:52 AM, Sumit Bose wrote:
> On Fri, Mar 15, 2013 at 09:38:04AM +0000, Dale Macartney wrote:
>>
> Morning all
>
> I have setup the domain trust set up and have errors when trying to map
> groups from AD to IPA
>
> Environment is IPA 3.0 on RHEL 6.4 and Windows 2012
>
> When adding groups, I get the following.
>
> [root at ds01 ~]# ipa group-add --desc='Active Directory Domain Admins
> external map' domain_admins_map --external
> [root at ds01 ~]# ipa group-add-member domain_admins_map --external
> 'NT\Domain Admins'
> [member user]:
> [member group]:
> ipa: ERROR: cannot connect to
> u'https://ds01.example.com/ipa/session/xml': Internal Server Error
> [root at ds01 ~]#
>
> When the above error occurs I see the following in
/var/log/httpd/error_log
>
> ==> /var/log/httpd/error_log <==
> [Fri Mar 15 09:35:15 2013] [error] ipa: ERROR: release_ipa_ccache:
> ccache_name (FILE:/var/run/ipa_memcached/krbcc_5374) != KRB5CCNAME
> environment variable (/var/run/ipa_memcached/krbcc_TDN)
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] mod_wsgi
> (pid=5374): Exception occurred processing WSGI script
> '/usr/share/ipa/wsgi.py'.
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] Traceback (most
> recent call last):
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> "/usr/share/ipa/wsgi.py", line 49, in application
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return
> api.Backend.wsgi_dispatch(environ, start_response)
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 248, in
> __call__
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return
> self.route(environ, start_response)
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 260, in
> route
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return
> app(environ, start_response)
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 1193, in
> __call__
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] response =
> super(xmlserver_session, self).__call__(environ, start_response)
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 709, in
> __call__
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] response =
> super(xmlserver, self).__call__(environ, start_response)
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 375, in
> __call__
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] response =
> self.wsgi_execute(environ)
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 334, in
> wsgi_execute
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] result =
> self.Command[name](*args, **options)
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 435, in
__call__
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] ret =
> self.run(*args, **options)
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 747, in run
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return
> self.execute(*args, **options)
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> "/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py", line
> 1590, in execute
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] **options)
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> "/usr/lib/python2.6/site-packages/ipalib/plugins/group.py", line 387, in
> post_callback
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] actual_sid =
> domain_validator.get_sid_trusted_domain_object(sid)
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> "/usr/lib/python2.6/site-packages/ipaserver/dcerpc.py", line 212, in
> get_sid_trusted_domain_object
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] entry =
> self.resolve_against_gc(domain, components['name'])
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> "/usr/lib/python2.6/site-packages/ipaserver/dcerpc.py", line 285, in
> resolve_against_gc
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] entry =
> self.__resolve_against_gc(info, host, port, name)
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> "/usr/lib/python2.6/site-packages/ipaserver/dcerpc.py", line 315, in
> __resolve_against_gc
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]
> conn.sasl_interactive_bind_s(None, sasl_auth)
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", line 566,
> in sasl_interactive_bind_s
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return
> self.conn.sasl_interactive_bind_s(who, auth, serverctrls, clientctrls,
> sasl_flags)
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 227, in
> sasl_interactive_bind_s
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return
>
self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,EncodeControlTuples(serverctrls),EncodeControlTuples(clientctrls),sasl_flags)
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 96, in
> _ldap_call
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] result =
> func(*args,**kwargs)
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] LOCAL_ERROR:
> {'info': 'SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
> failure. Minor code may provide more information (Server
> ldap/dc01.nt.example.com at EXAMPLE.COM not found in Kerberos database)',
> 'desc': 'Local error'}
>
> > Lokks like your AD domain is DNS-wise a subdomain of the FreeIPA domain
> > example.dom. Please try to add something like
>
> > .nt.example.com = NT.EXAMPLE.COM
> > nt.example.com = NT.EXAMPLE.COM
>
> > to the [domain_realm] section in /etc/krb5.conf. SSSD should have
> > created an include file with this information, but due to some errors it
> > is not read in the 6.4 version.
>
> > HTH
>
> > bye,
> > Sumit
No joy unfortunately mate. I tried adding it to both the ipa server and
the member server but still no change. logs are still appearing as before.

Dale
>
>
>
> Just to clarify, iptables has been flushed and selinux is currently
> permissive. Running latest patches from RHN as of 2013/03/14
>
> Any thoughts?
>
> Dale
>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRQvILAAoJEAJsWS61tB+qkZgQAIOWUoevw/7/d7OzxMxspo7N
H3AvY8bioqLaourqW0sc9IpOiEIC8iG1a8mun6CfmMiJChAEs+ENxXjfFpei6RU8
PnV0ixDMMVvuOwK3sNTjOvi/RHYQwfvhxgoAGFHOddOEBEnUjqdTRWC1ptAEVwHs
ZoVovFUe62PsURkgJshq+I5StaZpCD2jeP2Ic3MsYsQ+JNp1MPnwZBRpBD6msfhg
Eu+CN/L8UItt6yF74I/U1GtI14CIgpDgj8mE4OA4rJtGu3jS0OwJ9nDNAb8+vIBY
5rU/WF5ShgdYpH4koCk/DadASqBT7Bc1S/oG+Lue4rBjFyMCZJUDWKxWSk4WWtG9
hwYWV5x3mM7DI/oamZAY2sJ0xQJFebrkwYFao1N9MukCUKoS0TiyGEpMlSjpF1Ye
TeIw/yAfi8hevISh2gXIc3Vn8jBtWLrBZWuB8ZU2kIwwV3xbtB452SuUrJbvYDF8
pJynhp8l1Oqg/9ke1k8khzRCJt3FlPG5Sw/oAiT/xcQourQL7ynorjk03Z+1Xunf
8GI5pCcJF2Vto0RnXHSRwk4qhVpJFDVIQRWC9d0y6a2C2eIJcr5/39foyLkiXE86
lp0I/V5+S1XKJbe5BXhS8Z89qEOmN2CYf085fQhLv9fAjceKM5JvvzwCDrGGNIqu
zOAW523l0OVpP6kG8kJQ
=317e
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130315/d0618533/attachment.htm>