[Freeipa-users] [SOLVED] Unable to establish trust with FreeIPA and Active Directory
Sumit Bose
sbose at redhat.com
Tue Apr 8 07:20:04 UTC 2014
On Tue, Apr 08, 2014 at 08:27:01AM +0300, Alexander Bokovoy wrote:
> On Fri, 04 Apr 2014, Alexander Bokovoy wrote:
> >>tevent: Destroying timer event 0x7facb82e9d30
> >>"dcerpc_connect_timeout_handler"
> >^^ stopped just short of authenticating to smbd prior to ask it for
> >informational policy about the domain.
> >
> >This means there is some problem in what smbd thinks about your
> >admin at UNIX account.
> >
> >Can you do following:
> >
> ># for i in /var/log/samba/log.* ; do echo > $i ; done
> ># smbcontrol all debug 100
> ># kinit admin at UNIX
> ># ipa trust-add sbx.local ....
> ># smbcontrol all debug 1
> >
> >now archive logs in /var/log/samba/log.* and send them to me privately.
>
> After several rounds of capturing logs, we've solved the issue by
> finding out that IPv6 stack was completely disabled on the machine.
>
> Even though certain security guides may suggest disabling IPv6 stack
> when it is not in use, this suggestion is not very usable. IPv4 and IPv6
> share the same port range on the local side, so it is a recommended
> programming practice for networking applications to only open IPv6
> sockets. Standard C library (glibc, for example) handles transparently
> both IPv4 and IPv6 cases for the applications.
>
> Samba and some of other FreeIPA components open their networking sockets
> as IPv6 ones. Completely disabling IPv6 stack on the machine causes
> these requests to open a socket to fail as kernel will be responding "do
> not know this socket address family".
>
> If your security guidelines require disabling IPv6 address space, please
> don't add ipv6.disable=1 to the kernel commandline to disable the whole
> IPv6 stack. Instead, use ipv6.disable_ipv6=1. The latter option will
> keep the IPv6 stack functional but will not assign IPv6 addresses to any
> of your network devices. This is recommended approach for cases when
> you don't use IPv6 networking.
>
> Creating and adding to, for example, /etc/sysctl.d/ipv6.conf will avoid
> assigning IPv6 addresses to a specific network interface:
>
> # Disable IPv6
> net.ipv6.conf.all.disable_ipv6 = 1
> net.ipv6.conf.<interface0>.disable_ipv6 = 1
>
> where interface0 is your specialized interface. Note that all we are
> requiring is that IPv6 stack is enabled at the kernel level and this
> is recommended way to develop networking applications for a long time
> already.
>
> I've updated http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup
> and http://www.freeipa.org/page/Deployment_Recommendations with this
> information.
Thank you for getting to the bottom of this. Do you think we should
check this settings during ipa-adtrust-install or even during
ipa-server-install?
bye,
Sumit
>
>
> --
> / Alexander Bokovoy
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list