[Freeipa-users] Unable to establish trust with FreeIPA and Active Directory

Redmond, Stacy stacy.redmond at blueshieldca.com
Fri Apr 4 15:31:54 UTC 2014 

We will be using unix as the Kerberos realm and unix.sbx.local as the
domain so we can use srv records for the unix hosts to point at ipa.
The AD domain is sbx.local, here is the output using the AD domain

[root at linuxtest1 ~]# ipa trust-add --type=ad sbx.local --admin
Administrator --password
Active directory domain administrator's password:
ipa: ERROR: Cannot find specified domain or server name
[root at linuxtest1 ~]# cat /var/log/httpd/error_log
lpcfg_load: refreshing parameters from /usr/share/ipa/smb.conf.empty
params.c:pm_process() - Processing configuration file
"/usr/share/ipa/smb.conf.empty"
Processing section "[global]"
INFO: Current debug levels:
  all: 100
  tdb: 100
  printdrivers: 100
  lanman: 100
  smb: 100
  rpc_parse: 100
  rpc_srv: 100
  rpc_cli: 100
  passdb: 100
  sam: 100
  auth: 100
  winbind: 100
  vfs: 100
  idmap: 100
  quota: 100
  acls: 100
  locking: 100
  msdfs: 100
  dmapi: 100
  registry: 100
pm_process() returned Yes
Using binding ncacn_np:linuxtest1.unix.sbx.local[,]
tevent: Added timed event "dcerpc_connect_timeout_handler":
0x7facb82e9d30
tevent: Added timed event "composite_trigger": 0x7facb80a8de0
tevent: Added timed event "composite_trigger": 0x7facb80a9710
tevent: Running timer event 0x7facb80a8de0 "composite_trigger"
tevent: Destroying timer event 0x7facb80a9710 "composite_trigger"
Mapped to DCERPC endpoint \pipe\lsarpc
added interface eth0 ip=10.130.82.68 bcast=10.130.82.255
netmask=255.255.255.0
added interface eth0 ip=10.130.82.68 bcast=10.130.82.255
netmask=255.255.255.0
tevent: Ending timer event 0x7facb80a8de0 "composite_trigger"
tevent: Added timed event "connect_multi_timer": 0x7facb81bf0e0
tevent: Schedule immediate event "tevent_req_trigger": 0x7facb81bfa10
tevent: Run immediate event "tevent_req_trigger": 0x7facb81bfa10
tevent: Destroying timer event 0x7facb81bf0e0 "connect_multi_timer"
Socket options:
        SO_KEEPALIVE = 0
        SO_REUSEADDR = 0
        SO_BROADCAST = 0
        TCP_NODELAY = 1
        TCP_KEEPCNT = 9
        TCP_KEEPIDLE = 7200
        TCP_KEEPINTVL = 75
        IPTOS_LOWDELAY = 0
        IPTOS_THROUGHPUT = 0
        SO_REUSEPORT = 0
        SO_SNDBUF = 169160
        SO_RCVBUF = 87380
        SO_SNDLOWAT = 1
        SO_RCVLOWAT = 1
        SO_SNDTIMEO = 0
        SO_RCVTIMEO = 0
        TCP_QUICKACK = 1
        TCP_DEFER_ACCEPT = 0
tevent: Added timed event "tevent_req_timedout": 0x7facb814b930
tevent: Schedule immediate event "tevent_queue_immediate_trigger":
0x7facb8156ab0
tevent: Run immediate event "tevent_queue_immediate_trigger":
0x7facb8156ab0
tevent: Destroying timer event 0x7facb814b930 "tevent_req_timedout"
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Ticket in credentials cache for admin at UNIX will expire in 31325 secs
tevent: Added timed event "tevent_req_timedout": 0x7facb82715b0
tevent: Schedule immediate event "tevent_queue_immediate_trigger":
0x7facb8156ab0
tevent: Run immediate event "tevent_queue_immediate_trigger":
0x7facb8156ab0
tevent: Destroying timer event 0x7facb82715b0 "tevent_req_timedout"
gensec_gssapi: NO credentials were delegated
GSSAPI Connection will be cryptographically sealed
tevent: Added timed event "tevent_req_timedout": 0x7facb814c340
tevent: Schedule immediate event "tevent_queue_immediate_trigger":
0x7facb8156ab0
tevent: Run immediate event "tevent_queue_immediate_trigger":
0x7facb8156ab0
tevent: Destroying timer event 0x7facb814c340 "tevent_req_timedout"
tevent: Added timed event "tevent_req_timedout": 0x7facb814c340
tevent: Schedule immediate event "tevent_queue_immediate_trigger":
0x7facb8156ab0
tevent: Run immediate event "tevent_queue_immediate_trigger":
0x7facb8156ab0
tevent: Destroying timer event 0x7facb814c340 "tevent_req_timedout"
tevent: Destroying timer event 0x7facb82e9d30
"dcerpc_connect_timeout_handler"
[Fri Apr 04 08:28:21 2014] [error] ipa: INFO: admin at UNIX:
trust_add(u'sbx.local', trust_type=u'ad', realm_admin=u'Administrator',
realm_passwd=u'********', range_size=200000, all=False, raw=False,
version=u'2.49'): NotFound
[root at linuxtest1 ~]#

-----Original Message-----
From: Alexander Bokovoy [mailto:abokovoy at redhat.com] 
Sent: Friday, April 04, 2014 8:25 AM
To: Redmond, Stacy
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Unable to establish trust with FreeIPA and
Active Directory

On Fri, 04 Apr 2014, Redmond, Stacy wrote:
>You are absolutlely right, I had rebuilt the server, and had forgotten 
>to put the log level back in, here it is.
>
>[root at linuxtest1 ~]# cat /var/log/httpd/error_log /dev/null
>lpcfg_load: refreshing parameters from /usr/share/ipa/smb.conf.empty
>params.c:pm_process() - Processing configuration file 
>"/usr/share/ipa/smb.conf.empty"
>Processing section "[global]"
>INFO: Current debug levels:
>  all: 100
>  tdb: 100
>  printdrivers: 100
>  lanman: 100
>  smb: 100
>  rpc_parse: 100
>  rpc_srv: 100
>  rpc_cli: 100
>  passdb: 100
>  sam: 100
>  auth: 100
>  winbind: 100
>  vfs: 100
>  idmap: 100
>  quota: 100
>  acls: 100
>  locking: 100
>  msdfs: 100
>  dmapi: 100
>  registry: 100
>pm_process() returned Yes
>Using binding ncacn_np:linuxtest1.unix.sbx.local[,]
^^ we first try to talk to local smbd process.

>tevent: Destroying timer event 0x7facb8292850 "tevent_req_timedout"
>tevent: Destroying timer event 0x7facb82d32b0 
>"dcerpc_connect_timeout_handler"
>[Fri Apr 04 06:59:43 2014] [error] ipa: INFO: admin at UNIX:
>trust_add(u'unix.sbx.local', trust_type=u'ad',
what is 'unix.sbx.local'? Is this an Active Directory domain? From your
log I gather that it is FreeIPA domain, not AD.

'ipa trust-add' requires Active Directory domain as an argument.

--
/ Alexander Bokovoy

More information about the Freeipa-users mailing list