[Freeipa-users] Unable to establish trust with FreeIPA and Active Directory
Redmond, Stacy
stacy.redmond at blueshieldca.com
Thu Apr 3 18:05:08 UTC 2014
I have this same exact issue. I have not only verified that DNS is
functioning properly, I have also added the AD server to the local hosts
file as is the reported fix for this issue and it still persists.
[root at linuxtest1 ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.5 (Santiago)
[root at linuxtest1 ~]# uname -a
Linux linuxtest1.sbx.local 2.6.32-431.11.2.el6.x86_64 #1 SMP Mon Mar 3
13:32:45 EST 2014 x86_64 x86_64 x86_64 GNU/Linux
[root at linuxtest1 ~]# nslookup wdir901sbx.sbx.local
Server: 10.130.82.20
Address: 10.130.82.20#53
Name: wdir901sbx.sbx.local
Address: 10.130.82.20
[root at linuxtest1 ~]# nslookup 10.130.82.20
Server: 10.130.82.20
Address: 10.130.82.20#53
20.82.130.10.in-addr.arpa name = wdir901sbx.sbx.local.
[root at linuxtest1 ~]# dig SRV _ldap._tcp.ad.sbx.local
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> SRV
_ldap._tcp.ad.sbx.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 50435
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;_ldap._tcp.ad.sbx.local. IN SRV
;; AUTHORITY SECTION:
sbx.local. 3600 IN SOA wdir901sbx.sbx.local.
hostmaster. 4715 900 600 86400 3600
;; Query time: 0 msec
;; SERVER: 10.130.82.20#53(10.130.82.20)
;; WHEN: Thu Apr 3 10:34:02 2014
;; MSG SIZE rcvd: 107
[root at linuxtest1 ~]# ipa trust-add --type=ad ad.sbx.local --admin
'admsredmo01' --password
Active directory domain administrator's password:
ipa: ERROR: Cannot find specified domain or server name
[root at linuxtest1 ~]#
[root at linuxtest1 ~]# ipa trust-add --type=ad sbx.local --admin
'admsredmo01' --password
Active directory domain administrator's password:
ipa: ERROR: Cannot find specified domain or server name
[root at linuxtest1 ~]#
Any and all help would be appreciated.
-----Original Message-----
From: freeipa-users-bounces at redhat.com
[mailto:freeipa-users-bounces at redhat.com] On Behalf Of
freeipa-users-request at redhat.com
Sent: Thursday, April 03, 2014 9:00 AM
To: freeipa-users at redhat.com
Subject: Freeipa-users Digest, Vol 69, Issue 20
Send Freeipa-users mailing list submissions to
freeipa-users at redhat.com
To subscribe or unsubscribe via the World Wide Web, visit
https://www.redhat.com/mailman/listinfo/freeipa-users
or, via email, send a message with subject or body 'help' to
freeipa-users-request at redhat.com
You can reach the person managing the list at
freeipa-users-owner at redhat.com
When replying, please edit your Subject line so it is more specific than
"Re: Contents of Freeipa-users digest..."
Today's Topics:
1. Re: Unable to establish trust with FreeIPA and Active
Directory (Sumit Bose)
----------------------------------------------------------------------
Message: 1
Date: Thu, 3 Apr 2014 16:53:31 +0200
From: Sumit Bose <sbose at redhat.com>
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Unable to establish trust with FreeIPA
and Active Directory
Message-ID: <20140403145331.GN11404 at localhost.localdomain>
Content-Type: text/plain; charset=us-ascii
On Thu, Apr 03, 2014 at 02:31:55PM +0000, Matthew W Hanley wrote:
> I'm in the midst of setting up a trust with FreeIPA and Active
Directory and am receiving the following error:
>
> # ipa trust-add --type=ad ad.example.com --admin 'mwhanley' --password
> Active directory domain administrator's password:
>
> ipa: ERROR: Cannot find specified domain or server name
looks like a DNS issue. Can you check if
dig SRV _ldap._tcp.ad.example.com
returns a list of IP addresses for your AD DCs? If not you might want to
have a look at
www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#DNS_configuration .
HTH
bye,
Sumit
>
> The FreeIPA server is running Fedora release 20, version 3.3.3-4 of
FreeIPA and I have turned on debugging and get the following:
>
> ps [Wed Apr 02 10:20:53.766064 2014] [:error] [pid 32522] ipa: INFO:
> admin at ipaexample.com: trust_add(u'ad.example.com', trust_type=u'ad',
> realm_admin=u'mwhanley', realm_passwd=u'********', all=False,
> raw=False, version=u'2.65'): NotFound [Wed Apr 02 10:21:29.635077
> 2014] [:error] [pid 32521] ipa: INFO: admin at ipaexample.com:
> idrange_find(None, all=False, raw=False, version=u'2.65',
> pkey_only=False): SUCCESS
> INFO: Current debug levels:
> all: 11
> tdb: 11
> printdrivers: 11
> lanman: 11
> smb: 11
> rpc_parse: 11
> rpc_srv: 11
> rpc_cli: 11
> passdb: 11
> sam: 11
> auth: 11
> winbind: 11
> vfs: 11
> idmap: 11
> quota: 11
> acls: 11
> locking: 11
> msdfs: 11
> dmapi: 11
> registry: 11
> scavenger: 11
> dns: 11
> ldb: 11
> pm_process() returned Yes
> Using binding ncacn_np:host.ipaexample.com[,] Mapped to DCERPC
> endpoint \pipe\lsarpc added interface eth0 ip=xxx.xxx.xxx.xxx
> bcast=xxx.xxx.xxx.xxx netmask=255.255.255.0 added interface eth0
> ip=xxx.xxx.xxx.xxx bcast=xxx.xxx.xxx.xxx netmask=255.255.255.0 Socket
> options:
> SO_KEEPALIVE = 0
> SO_REUSEADDR = 0
> SO_BROADCAST = 0
> TCP_NODELAY = 1
> TCP_KEEPCNT = 9
> TCP_KEEPIDLE = 7200
> TCP_KEEPINTVL = 75
> IPTOS_LOWDELAY = 0
> IPTOS_THROUGHPUT = 0
> SO_REUSEPORT = 0
> SO_SNDBUF = 663750
> SO_RCVBUF = 265452
> SO_SNDLOWAT = 1
> SO_RCVLOWAT = 1
> SO_SNDTIMEO = 0
> SO_RCVTIMEO = 0
> TCP_QUICKACK = 1
> TCP_DEFER_ACCEPT = 0
> Starting GENSEC mechanism spnego
> Starting GENSEC submechanism gssapi_krb5 Ticket in credentials cache
> for admin at ipaexample.com will expire in 84015 secs
> gensec_gssapi: NO credentials were delegated GSSAPI Connection will be
> cryptographically sealed
>
> I've also done an "ipactl restart" to no avail. Any help would be
appreciated.
>
> -Matt
>
>
> Matthew Hanley
> IT Analyst
> Syracuse University
> mwhanley at syr.edu
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
------------------------------
_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
End of Freeipa-users Digest, Vol 69, Issue 20
*********************************************
More information about the Freeipa-users
mailing list