[Freeipa-users] Unable to establish trust with FreeIPA and Active Directory

Sumit Bose sbose at redhat.com
Thu Apr 3 14:53:31 UTC 2014 

On Thu, Apr 03, 2014 at 02:31:55PM +0000, Matthew W Hanley wrote:
> I'm in the midst of setting up a trust with FreeIPA and Active Directory and am receiving the following error:
> 
> # ipa trust-add --type=ad ad.example.com --admin 'mwhanley' --password
> Active directory domain administrator's password:
> 
> ipa: ERROR: Cannot find specified domain or server name

looks like a DNS issue. Can you check if

dig SRV _ldap._tcp.ad.example.com

returns a list of IP addresses for your AD DCs? If not you might want to
have a look at
www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#DNS_configuration .

HTH

bye,
Sumit

> 
> The FreeIPA server is running Fedora release 20, version 3.3.3-4 of FreeIPA and I have turned on debugging and get the following:
> 
> ps [Wed Apr 02 10:20:53.766064 2014] [:error] [pid 32522] ipa: INFO: admin at ipaexample.com: trust_add(u'ad.example.com', trust_type=u'ad', realm_admin=u'mwhanley', realm_passwd=u'********', all=False, raw=False, version=u'2.65'): NotFound
> [Wed Apr 02 10:21:29.635077 2014] [:error] [pid 32521] ipa: INFO: admin at ipaexample.com: idrange_find(None, all=False, raw=False, version=u'2.65', pkey_only=False): SUCCESS
> INFO: Current debug levels:
>   all: 11
>   tdb: 11
>   printdrivers: 11
>   lanman: 11
>   smb: 11
>   rpc_parse: 11
>   rpc_srv: 11
>   rpc_cli: 11
>   passdb: 11
>   sam: 11
>   auth: 11
>   winbind: 11
>   vfs: 11
>   idmap: 11
>   quota: 11
>   acls: 11
>   locking: 11
>   msdfs: 11
>   dmapi: 11
>   registry: 11
>   scavenger: 11
>   dns: 11
>   ldb: 11
> pm_process() returned Yes
> Using binding ncacn_np:host.ipaexample.com[,]
> Mapped to DCERPC endpoint \pipe\lsarpc
> added interface eth0 ip=xxx.xxx.xxx.xxx bcast=xxx.xxx.xxx.xxx netmask=255.255.255.0
> added interface eth0 ip=xxx.xxx.xxx.xxx bcast=xxx.xxx.xxx.xxx netmask=255.255.255.0
> Socket options:
> SO_KEEPALIVE = 0
> SO_REUSEADDR = 0
> SO_BROADCAST = 0
> TCP_NODELAY = 1
> TCP_KEEPCNT = 9
> TCP_KEEPIDLE = 7200
> TCP_KEEPINTVL = 75
> IPTOS_LOWDELAY = 0
> IPTOS_THROUGHPUT = 0
> SO_REUSEPORT = 0
> SO_SNDBUF = 663750
> SO_RCVBUF = 265452
> SO_SNDLOWAT = 1
> SO_RCVLOWAT = 1
> SO_SNDTIMEO = 0
> SO_RCVTIMEO = 0
> TCP_QUICKACK = 1
> TCP_DEFER_ACCEPT = 0
> Starting GENSEC mechanism spnego
> Starting GENSEC submechanism gssapi_krb5
> Ticket in credentials cache for admin at ipaexample.com will expire in 84015 secs
> gensec_gssapi: NO credentials were delegated
> GSSAPI Connection will be cryptographically sealed
> 
> I've also done an "ipactl restart" to no avail.  Any help would be appreciated.
> 
> -Matt
> 
> 
> Matthew Hanley
> IT Analyst
> Syracuse University
> mwhanley at syr.edu

> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list