[Freeipa-users] Trouble verifying domain trust IPA 3.0, AD 2012
Dale Macartney
dale at themacartneyclan.com
Fri Mar 15 10:06:10 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/15/2013 10:03 AM, Dale Macartney wrote:
>
>
> On 03/15/2013 09:52 AM, Sumit Bose wrote:
> > On Fri, Mar 15, 2013 at 09:38:04AM +0000, Dale Macartney wrote:
> >>
> > Morning all
>
> > I have setup the domain trust set up and have errors when trying to map
> > groups from AD to IPA
>
> > Environment is IPA 3.0 on RHEL 6.4 and Windows 2012
>
> > When adding groups, I get the following.
>
> > [root at ds01 ~]# ipa group-add --desc='Active Directory Domain Admins
> > external map' domain_admins_map --external
> > [root at ds01 ~]# ipa group-add-member domain_admins_map --external
> > 'NT\Domain Admins'
> > [member user]:
> > [member group]:
> > ipa: ERROR: cannot connect to
> > u'https://ds01.example.com/ipa/session/xml': Internal Server Error
> > [root at ds01 ~]#
>
> > When the above error occurs I see the following in
/var/log/httpd/error_log
>
> > ==> /var/log/httpd/error_log <==
> > [Fri Mar 15 09:35:15 2013] [error] ipa: ERROR: release_ipa_ccache:
> > ccache_name (FILE:/var/run/ipa_memcached/krbcc_5374) != KRB5CCNAME
> > environment variable (/var/run/ipa_memcached/krbcc_TDN)
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] mod_wsgi
> > (pid=5374): Exception occurred processing WSGI script
> > '/usr/share/ipa/wsgi.py'.
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] Traceback (most
> > recent call last):
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > "/usr/share/ipa/wsgi.py", line 49, in application
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return
> > api.Backend.wsgi_dispatch(environ, start_response)
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 248, in
> > __call__
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return
> > self.route(environ, start_response)
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 260, in
> > route
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return
> > app(environ, start_response)
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 1193, in
> > __call__
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] response =
> > super(xmlserver_session, self).__call__(environ, start_response)
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 709, in
> > __call__
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] response =
> > super(xmlserver, self).__call__(environ, start_response)
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 375, in
> > __call__
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] response =
> > self.wsgi_execute(environ)
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 334, in
> > wsgi_execute
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] result =
> > self.Command[name](*args, **options)
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 435, in
__call__
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] ret =
> > self.run(*args, **options)
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 747, in run
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return
> > self.execute(*args, **options)
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > "/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py", line
> > 1590, in execute
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] **options)
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > "/usr/lib/python2.6/site-packages/ipalib/plugins/group.py", line 387, in
> > post_callback
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] actual_sid =
> > domain_validator.get_sid_trusted_domain_object(sid)
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > "/usr/lib/python2.6/site-packages/ipaserver/dcerpc.py", line 212, in
> > get_sid_trusted_domain_object
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] entry =
> > self.resolve_against_gc(domain, components['name'])
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > "/usr/lib/python2.6/site-packages/ipaserver/dcerpc.py", line 285, in
> > resolve_against_gc
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] entry =
> > self.__resolve_against_gc(info, host, port, name)
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > "/usr/lib/python2.6/site-packages/ipaserver/dcerpc.py", line 315, in
> > __resolve_against_gc
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]
> > conn.sasl_interactive_bind_s(None, sasl_auth)
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", line 566,
> > in sasl_interactive_bind_s
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return
> > self.conn.sasl_interactive_bind_s(who, auth, serverctrls, clientctrls,
> > sasl_flags)
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 227, in
> > sasl_interactive_bind_s
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return
> >
self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,EncodeControlTuples(serverctrls),EncodeControlTuples(clientctrls),sasl_flags)
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 96, in
> > _ldap_call
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] result =
> > func(*args,**kwargs)
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] LOCAL_ERROR:
> > {'info': 'SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
> > failure. Minor code may provide more information (Server
> > ldap/dc01.nt.example.com at EXAMPLE.COM not found in Kerberos database)',
> > 'desc': 'Local error'}
>
> > > Lokks like your AD domain is DNS-wise a subdomain of the FreeIPA
domain
> > > example.dom. Please try to add something like
>
> > > .nt.example.com = NT.EXAMPLE.COM
> > > nt.example.com = NT.EXAMPLE.COM
>
> > > to the [domain_realm] section in /etc/krb5.conf. SSSD should have
> > > created an include file with this information, but due to some
errors it
> > > is not read in the 6.4 version.
>
> > > HTH
>
> > > bye,
> > > Sumit
> No joy unfortunately mate. I tried adding it to both the ipa server
and the member server but still no change. logs are still appearing as
before.
>
> Dale
Looks like I spoke to soon. I tried again about 10 seconds later and now
it works.
Thanks for the suggestion :-)
>
>
>
> > Just to clarify, iptables has been flushed and selinux is currently
> > permissive. Running latest patches from RHN as of 2013/03/14
>
> > Any thoughts?
>
> > Dale
>
> >>
> >> _______________________________________________
> >> Freeipa-users mailing list
> >> Freeipa-users at redhat.com
> >> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJRQvKQAAoJEAJsWS61tB+qiiQP/iu1Ox3v2C0eD1WE4iV1GyCd
aLxD7snyWyZagi73mDhu+IjfWMPP91uzSm40dl3lLynWtyToEa/B0frgDrdW2InC
YbRPgUX2aZhXm+rQYY6w3rpfbosplh0xSfFGxURAwIKe1iBS19b9FbVblLe/KiQ/
ipIWL5z3OtkCgsU0EFu6vE8c3YaXyMaKIt1wIcH4Q7s01mys+05FgtO7LFuR9oqQ
EZ3pxR/9U0ePw7Vs48jaqIbFrcTbPXU6xuuQ68Osqgh6HLZyGcdwi3XROb96gZfr
uWLkn2afK0UbFzd/aMOD5pYAUdf9UQRca1YAEhTsgwPaGZ1QVgi2bCmfd7CHYnFp
Pzw2JXWBnxekrj90k6k8+b1fk6J5TyWtkANbi5r2y0p2RLSEhRj46iF9/1R/dBG+
mk5xE3qeIpn6UoOS6p5b/N93FL5G1LH7qQdLFZOY1Ix8dDEqQ9t/n4j9GWYRLdmA
+DPL/jT42I9m7lN7D0Xp46gK2dqZoVB2Nov+N/0v8dNmSgWOFlMiacKveKtXuipz
uxy25wsO7Q4MUZR0td8rg9rdaJ0zeGSpAIj1nxKz548J0CzsHP4Kf2njmvbN/ipT
0z+oTDYH0zypfmj6XraOXASeO7ms1xBE5VFti4rUG07/l4dpOFta8PXXxknRXwQG
PQMqSseF3vUah633WwOp
=dlMX
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130315/c1640557/attachment.htm>
More information about the Freeipa-users
mailing list