[Freeipa-users] Unable to establish trust with FreeIPA and Active Directory
Redmond, Stacy
stacy.redmond at blueshieldca.com
Fri Apr 4 15:31:54 UTC 2014
We will be using unix as the Kerberos realm and unix.sbx.local as the
domain so we can use srv records for the unix hosts to point at ipa.
The AD domain is sbx.local, here is the output using the AD domain
[root at linuxtest1 ~]# ipa trust-add --type=ad sbx.local --admin
Administrator --password
Active directory domain administrator's password:
ipa: ERROR: Cannot find specified domain or server name
[root at linuxtest1 ~]# cat /var/log/httpd/error_log
lpcfg_load: refreshing parameters from /usr/share/ipa/smb.conf.empty
params.c:pm_process() - Processing configuration file
"/usr/share/ipa/smb.conf.empty"
Processing section "[global]"
INFO: Current debug levels:
all: 100
tdb: 100
printdrivers: 100
lanman: 100
smb: 100
rpc_parse: 100
rpc_srv: 100
rpc_cli: 100
passdb: 100
sam: 100
auth: 100
winbind: 100
vfs: 100
idmap: 100
quota: 100
acls: 100
locking: 100
msdfs: 100
dmapi: 100
registry: 100
pm_process() returned Yes
Using binding ncacn_np:linuxtest1.unix.sbx.local[,]
tevent: Added timed event "dcerpc_connect_timeout_handler":
0x7facb82e9d30
tevent: Added timed event "composite_trigger": 0x7facb80a8de0
tevent: Added timed event "composite_trigger": 0x7facb80a9710
tevent: Running timer event 0x7facb80a8de0 "composite_trigger"
tevent: Destroying timer event 0x7facb80a9710 "composite_trigger"
Mapped to DCERPC endpoint \pipe\lsarpc
added interface eth0 ip=10.130.82.68 bcast=10.130.82.255
netmask=255.255.255.0
added interface eth0 ip=10.130.82.68 bcast=10.130.82.255
netmask=255.255.255.0
tevent: Ending timer event 0x7facb80a8de0 "composite_trigger"
tevent: Added timed event "connect_multi_timer": 0x7facb81bf0e0
tevent: Schedule immediate event "tevent_req_trigger": 0x7facb81bfa10
tevent: Run immediate event "tevent_req_trigger": 0x7facb81bfa10
tevent: Destroying timer event 0x7facb81bf0e0 "connect_multi_timer"
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 169160
SO_RCVBUF = 87380
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
TCP_DEFER_ACCEPT = 0
tevent: Added timed event "tevent_req_timedout": 0x7facb814b930
tevent: Schedule immediate event "tevent_queue_immediate_trigger":
0x7facb8156ab0
tevent: Run immediate event "tevent_queue_immediate_trigger":
0x7facb8156ab0
tevent: Destroying timer event 0x7facb814b930 "tevent_req_timedout"
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Ticket in credentials cache for admin at UNIX will expire in 31325 secs
tevent: Added timed event "tevent_req_timedout": 0x7facb82715b0
tevent: Schedule immediate event "tevent_queue_immediate_trigger":
0x7facb8156ab0
tevent: Run immediate event "tevent_queue_immediate_trigger":
0x7facb8156ab0
tevent: Destroying timer event 0x7facb82715b0 "tevent_req_timedout"
gensec_gssapi: NO credentials were delegated
GSSAPI Connection will be cryptographically sealed
tevent: Added timed event "tevent_req_timedout": 0x7facb814c340
tevent: Schedule immediate event "tevent_queue_immediate_trigger":
0x7facb8156ab0
tevent: Run immediate event "tevent_queue_immediate_trigger":
0x7facb8156ab0
tevent: Destroying timer event 0x7facb814c340 "tevent_req_timedout"
tevent: Added timed event "tevent_req_timedout": 0x7facb814c340
tevent: Schedule immediate event "tevent_queue_immediate_trigger":
0x7facb8156ab0
tevent: Run immediate event "tevent_queue_immediate_trigger":
0x7facb8156ab0
tevent: Destroying timer event 0x7facb814c340 "tevent_req_timedout"
tevent: Destroying timer event 0x7facb82e9d30
"dcerpc_connect_timeout_handler"
[Fri Apr 04 08:28:21 2014] [error] ipa: INFO: admin at UNIX:
trust_add(u'sbx.local', trust_type=u'ad', realm_admin=u'Administrator',
realm_passwd=u'********', range_size=200000, all=False, raw=False,
version=u'2.49'): NotFound
[root at linuxtest1 ~]#
-----Original Message-----
From: Alexander Bokovoy [mailto:abokovoy at redhat.com]
Sent: Friday, April 04, 2014 8:25 AM
To: Redmond, Stacy
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Unable to establish trust with FreeIPA and
Active Directory
On Fri, 04 Apr 2014, Redmond, Stacy wrote:
>You are absolutlely right, I had rebuilt the server, and had forgotten
>to put the log level back in, here it is.
>
>[root at linuxtest1 ~]# cat /var/log/httpd/error_log /dev/null
>lpcfg_load: refreshing parameters from /usr/share/ipa/smb.conf.empty
>params.c:pm_process() - Processing configuration file
>"/usr/share/ipa/smb.conf.empty"
>Processing section "[global]"
>INFO: Current debug levels:
> all: 100
> tdb: 100
> printdrivers: 100
> lanman: 100
> smb: 100
> rpc_parse: 100
> rpc_srv: 100
> rpc_cli: 100
> passdb: 100
> sam: 100
> auth: 100
> winbind: 100
> vfs: 100
> idmap: 100
> quota: 100
> acls: 100
> locking: 100
> msdfs: 100
> dmapi: 100
> registry: 100
>pm_process() returned Yes
>Using binding ncacn_np:linuxtest1.unix.sbx.local[,]
^^ we first try to talk to local smbd process.
>tevent: Destroying timer event 0x7facb8292850 "tevent_req_timedout"
>tevent: Destroying timer event 0x7facb82d32b0
>"dcerpc_connect_timeout_handler"
>[Fri Apr 04 06:59:43 2014] [error] ipa: INFO: admin at UNIX:
>trust_add(u'unix.sbx.local', trust_type=u'ad',
what is 'unix.sbx.local'? Is this an Active Directory domain? From your
log I gather that it is FreeIPA domain, not AD.
'ipa trust-add' requires Active Directory domain as an argument.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list