[Freeipa-users] [SOLVED] Unable to establish trust with FreeIPA and Active Directory
Dmitri Pal
dpal at redhat.com
Tue Apr 8 13:44:52 UTC 2014
On 04/08/2014 03:32 AM, Alexander Bokovoy wrote:
> On Tue, 08 Apr 2014, Sumit Bose wrote:
>> On Tue, Apr 08, 2014 at 08:27:01AM +0300, Alexander Bokovoy wrote:
>>> On Fri, 04 Apr 2014, Alexander Bokovoy wrote:
>>> >>tevent: Destroying timer event 0x7facb82e9d30
>>> >>"dcerpc_connect_timeout_handler"
>>> >^^ stopped just short of authenticating to smbd prior to ask it for
>>> >informational policy about the domain.
>>> >
>>> >This means there is some problem in what smbd thinks about your
>>> >admin at UNIX account.
>>> >
>>> >Can you do following:
>>> >
>>> ># for i in /var/log/samba/log.* ; do echo > $i ; done
>>> ># smbcontrol all debug 100
>>> ># kinit admin at UNIX
>>> ># ipa trust-add sbx.local ....
>>> ># smbcontrol all debug 1
>>> >
>>> >now archive logs in /var/log/samba/log.* and send them to me
>>> privately.
>>>
>>> After several rounds of capturing logs, we've solved the issue by
>>> finding out that IPv6 stack was completely disabled on the machine.
>>>
>>> Even though certain security guides may suggest disabling IPv6 stack
>>> when it is not in use, this suggestion is not very usable. IPv4 and
>>> IPv6
>>> share the same port range on the local side, so it is a recommended
>>> programming practice for networking applications to only open IPv6
>>> sockets. Standard C library (glibc, for example) handles transparently
>>> both IPv4 and IPv6 cases for the applications.
>>>
>>> Samba and some of other FreeIPA components open their networking
>>> sockets
>>> as IPv6 ones. Completely disabling IPv6 stack on the machine causes
>>> these requests to open a socket to fail as kernel will be responding
>>> "do
>>> not know this socket address family".
>>>
>>> If your security guidelines require disabling IPv6 address space,
>>> please
>>> don't add ipv6.disable=1 to the kernel commandline to disable the whole
>>> IPv6 stack. Instead, use ipv6.disable_ipv6=1. The latter option will
>>> keep the IPv6 stack functional but will not assign IPv6 addresses to
>>> any
>>> of your network devices. This is recommended approach for cases when
>>> you don't use IPv6 networking.
>>>
>>> Creating and adding to, for example, /etc/sysctl.d/ipv6.conf will avoid
>>> assigning IPv6 addresses to a specific network interface:
>>>
>>> # Disable IPv6
>>> net.ipv6.conf.all.disable_ipv6 = 1
>>> net.ipv6.conf.<interface0>.disable_ipv6 = 1
>>>
>>> where interface0 is your specialized interface. Note that all we are
>>> requiring is that IPv6 stack is enabled at the kernel level and this
>>> is recommended way to develop networking applications for a long time
>>> already.
>>>
>>> I've updated http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup
>>> and http://www.freeipa.org/page/Deployment_Recommendations with this
>>> information.
>>
>> Thank you for getting to the bottom of this. Do you think we should
>> check this settings during ipa-adtrust-install or even during
>> ipa-server-install?
> I think we should do both.
>
Should we file a ticket?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
More information about the Freeipa-users
mailing list