[Freeipa-users] Unable to establish trust with FreeIPA and Active Directory

Fri Apr 4 14:01:42 UTC 2014

You are absolutlely right, I had rebuilt the server, and had forgotten
to put the log level back in, here it is.

[root at linuxtest1 ~]# cat /var/log/httpd/error_log
/dev/null
lpcfg_load: refreshing parameters from /usr/share/ipa/smb.conf.empty
params.c:pm_process() - Processing configuration file
"/usr/share/ipa/smb.conf.empty"
Processing section "[global]"
INFO: Current debug levels:
  all: 100
  tdb: 100
  printdrivers: 100
  lanman: 100
  smb: 100
  rpc_parse: 100
  rpc_srv: 100
  rpc_cli: 100
  passdb: 100
  sam: 100
  auth: 100
  winbind: 100
  vfs: 100
  idmap: 100
  quota: 100
  acls: 100
  locking: 100
  msdfs: 100
  dmapi: 100
  registry: 100
pm_process() returned Yes
Using binding ncacn_np:linuxtest1.unix.sbx.local[,]
tevent: Added timed event "dcerpc_connect_timeout_handler":
0x7facb82d32b0
tevent: Added timed event "composite_trigger": 0x7facb8091400
tevent: Added timed event "composite_trigger": 0x7facb8091d30
tevent: Running timer event 0x7facb8091400 "composite_trigger"
tevent: Destroying timer event 0x7facb8091d30 "composite_trigger"
Mapped to DCERPC endpoint \pipe\lsarpc
added interface eth0 ip=10.130.82.68 bcast=10.130.82.255
netmask=255.255.255.0
added interface eth0 ip=10.130.82.68 bcast=10.130.82.255
netmask=255.255.255.0
tevent: Ending timer event 0x7facb8091400 "composite_trigger"
tevent: Added timed event "connect_multi_timer": 0x7facb80a1e70
tevent: Schedule immediate event "tevent_req_trigger": 0x7facb813fe80
tevent: Run immediate event "tevent_req_trigger": 0x7facb813fe80
tevent: Destroying timer event 0x7facb80a1e70 "connect_multi_timer"
Socket options:
        SO_KEEPALIVE = 0
        SO_REUSEADDR = 0
        SO_BROADCAST = 0
        TCP_NODELAY = 1
        TCP_KEEPCNT = 9
        TCP_KEEPIDLE = 7200
        TCP_KEEPINTVL = 75
        IPTOS_LOWDELAY = 0
        IPTOS_THROUGHPUT = 0
        SO_REUSEPORT = 0
        SO_SNDBUF = 169160
        SO_RCVBUF = 87380
        SO_SNDLOWAT = 1
        SO_RCVLOWAT = 1
        SO_SNDTIMEO = 0
        SO_RCVTIMEO = 0
        TCP_QUICKACK = 1
        TCP_DEFER_ACCEPT = 0
tevent: Added timed event "tevent_req_timedout": 0x7facb815c6c0
tevent: Schedule immediate event "tevent_queue_immediate_trigger":
0x7facb832cd60
tevent: Run immediate event "tevent_queue_immediate_trigger":
0x7facb832cd60
tevent: Destroying timer event 0x7facb815c6c0 "tevent_req_timedout"
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Ticket in credentials cache for admin at UNIX will expire in 36642 secs
tevent: Added timed event "tevent_req_timedout": 0x7facb815ddc0
tevent: Schedule immediate event "tevent_queue_immediate_trigger":
0x7facb832cd60
tevent: Run immediate event "tevent_queue_immediate_trigger":
0x7facb832cd60
tevent: Destroying timer event 0x7facb815ddc0 "tevent_req_timedout"
gensec_gssapi: NO credentials were delegated
GSSAPI Connection will be cryptographically sealed
tevent: Added timed event "tevent_req_timedout": 0x7facb815d5a0
tevent: Schedule immediate event "tevent_queue_immediate_trigger":
0x7facb832cd60
tevent: Run immediate event "tevent_queue_immediate_trigger":
0x7facb832cd60
tevent: Destroying timer event 0x7facb815d5a0 "tevent_req_timedout"
tevent: Added timed event "tevent_req_timedout": 0x7facb8292850
tevent: Schedule immediate event "tevent_queue_immediate_trigger":
0x7facb832cd60
tevent: Run immediate event "tevent_queue_immediate_trigger":
0x7facb832cd60
tevent: Destroying timer event 0x7facb8292850 "tevent_req_timedout"
tevent: Destroying timer event 0x7facb82d32b0
"dcerpc_connect_timeout_handler"
[Fri Apr 04 06:59:43 2014] [error] ipa: INFO: admin at UNIX:
trust_add(u'unix.sbx.local', trust_type=u'ad',
realm_admin=u'Administrator', realm_passwd=u'********',
range_size=200000, all=False, raw=False, version=u'2.49'): NotFound
[root at linuxtest1 ~]#

-----Original Message-----
From: Alexander Bokovoy [mailto:abokovoy at redhat.com] 
Sent: Thursday, April 03, 2014 9:34 PM
To: Redmond, Stacy
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Unable to establish trust with FreeIPA and
Active Directory

On Thu, 03 Apr 2014, Redmond, Stacy wrote:
>Yes, I did that, here is the log
>
>[Thu Apr 03 13:21:52 2014] [error] [client 10.130.82.68] Credentials 
>for HTTP/linuxtest1.sbx.local at UNIX have expired or will soon expire - 
>now
>1396556512 endtime 1396551629, referer:
>https://linuxtest1.sbx.local/ipa/xml
>[Thu Apr 03 13:21:52 2014] [error] [client 10.130.82.68] Credentials 
>for HTTP/linuxtest1.sbx.local at UNIX have expired or will soon expire - 
>now
>1396556512 endtime 1396551629, referer:
>https://linuxtest1.sbx.local/ipa/xml
>[Thu Apr 03 13:21:52 2014] [error] ipa: INFO: admin at UNIX: ping():
>SUCCESS
>[Thu Apr 03 13:21:55 2014] [error] ipa: INFO: admin at UNIX:
>trust_add(u'sbx.local', trust_type=u'ad', realm_admin=u'admsredmo01', 
>realm_passwd=u'********', range_size=200000, all=False, raw=False,
>version=u'2.49'): NotFound
No, you haven't. This is not the log entries I'd expect. Between ping()
and trust_add() line there should be a lot of debug output from Samba
Python code.

>
>-----Original Message-----
>From: Alexander Bokovoy [mailto:abokovoy at redhat.com]
>Sent: Thursday, April 03, 2014 12:12 PM
>To: Redmond, Stacy
>Cc: freeipa-users at redhat.com
>Subject: Re: [Freeipa-users] Unable to establish trust with FreeIPA and

>Active Directory
>
>On Thu, 03 Apr 2014, Redmond, Stacy wrote:
>>I have this same exact issue.  I have not only verified that DNS is 
>>functioning properly, I have also added the AD server to the local 
>>hosts file as is the reported fix for this issue and it still
persists.
>add
>
>log level = 100
>
>to [global] section in /usr/share/ipa/smb.conf.empty
>
>and try 'ipa trust-add' again.
>
>You'll get debug output in httpd's error_log.
>
>I'd like to see level 100 logs, they give a bit more details in case of

>SMB Python bindings.
>
>--
>/ Alexander Bokovoy

--
/ Alexander Bokovoy