[Freeipa-users] [SOLVED] Unable to establish trust with FreeIPA and Active Directory
Alexander Bokovoy
abokovoy at redhat.com
Tue Apr 8 07:32:48 UTC 2014
On Tue, 08 Apr 2014, Sumit Bose wrote:
>On Tue, Apr 08, 2014 at 08:27:01AM +0300, Alexander Bokovoy wrote:
>> On Fri, 04 Apr 2014, Alexander Bokovoy wrote:
>> >>tevent: Destroying timer event 0x7facb82e9d30
>> >>"dcerpc_connect_timeout_handler"
>> >^^ stopped just short of authenticating to smbd prior to ask it for
>> >informational policy about the domain.
>> >
>> >This means there is some problem in what smbd thinks about your
>> >admin at UNIX account.
>> >
>> >Can you do following:
>> >
>> ># for i in /var/log/samba/log.* ; do echo > $i ; done
>> ># smbcontrol all debug 100
>> ># kinit admin at UNIX
>> ># ipa trust-add sbx.local ....
>> ># smbcontrol all debug 1
>> >
>> >now archive logs in /var/log/samba/log.* and send them to me privately.
>>
>> After several rounds of capturing logs, we've solved the issue by
>> finding out that IPv6 stack was completely disabled on the machine.
>>
>> Even though certain security guides may suggest disabling IPv6 stack
>> when it is not in use, this suggestion is not very usable. IPv4 and IPv6
>> share the same port range on the local side, so it is a recommended
>> programming practice for networking applications to only open IPv6
>> sockets. Standard C library (glibc, for example) handles transparently
>> both IPv4 and IPv6 cases for the applications.
>>
>> Samba and some of other FreeIPA components open their networking sockets
>> as IPv6 ones. Completely disabling IPv6 stack on the machine causes
>> these requests to open a socket to fail as kernel will be responding "do
>> not know this socket address family".
>>
>> If your security guidelines require disabling IPv6 address space, please
>> don't add ipv6.disable=1 to the kernel commandline to disable the whole
>> IPv6 stack. Instead, use ipv6.disable_ipv6=1. The latter option will
>> keep the IPv6 stack functional but will not assign IPv6 addresses to any
>> of your network devices. This is recommended approach for cases when
>> you don't use IPv6 networking.
>>
>> Creating and adding to, for example, /etc/sysctl.d/ipv6.conf will avoid
>> assigning IPv6 addresses to a specific network interface:
>>
>> # Disable IPv6
>> net.ipv6.conf.all.disable_ipv6 = 1
>> net.ipv6.conf.<interface0>.disable_ipv6 = 1
>>
>> where interface0 is your specialized interface. Note that all we are
>> requiring is that IPv6 stack is enabled at the kernel level and this
>> is recommended way to develop networking applications for a long time
>> already.
>>
>> I've updated http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup
>> and http://www.freeipa.org/page/Deployment_Recommendations with this
>> information.
>
>Thank you for getting to the bottom of this. Do you think we should
>check this settings during ipa-adtrust-install or even during
>ipa-server-install?
I think we should do both.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list