[Freeipa-users] Issues creating trust with AD.

Genadi Postrilko genadipost at gmail.com
Fri Feb 21 21:17:38 UTC 2014 

I would like to clarify myself, i wasn't accurate when i compared it to :
https://bugzilla.redhat.com/show_bug.cgi?id=878564.

I have tried to reproduce the bug by restarting the AD.

*I was able to preform winbindd commands:*

[root at ipaserver1 ~]# wbinfo -u
ADEXAMPLE\administrator
ADEXAMPLE\guest
ADEXAMPLE\genadi
ADEXAMPLE\krbtgt
ADEXAMPLE\linux$
ADEXAMPLE\daniel
[root at ipaserver1 ~]# wbinfo -g
admins
editors
default smb group
ad_users
ADEXAMPLE\domain computers
ADEXAMPLE\domain controllers
ADEXAMPLE\schema admins
ADEXAMPLE\enterprise admins
ADEXAMPLE\domain admins
ADEXAMPLE\domain users
ADEXAMPLE\domain guests
ADEXAMPLE\group policy creator owners
ADEXAMPLE\read-only domain controllers
ADEXAMPLE\enterprise read-only domain controllers
ADEXAMPLE\dnsupdateproxy
[root at ipaserver1 ~]# wbinfo -n "ADEXAMPLE\administrator"
S-1-5-21-2887728911-2909484380-3974070232-500 SID_USER (1)
[root at ipaserver1 ~]# wbinfo -n "ADEXAMPLE\guest"
S-1-5-21-2887728911-2909484380-3974070232-501 SID_USER (1)
[root at ipaserver1 ~]# wbinfo -n "ADEXAMPLE\genadi"
S-1-5-21-2887728911-2909484380-3974070232-1000 SID_USER (1)
[root at ipaserver1 ~]# wbinfo -n "ADEXAMPLE\krbtgt"
S-1-5-21-2887728911-2909484380-3974070232-502 SID_USER (1)
[root at ipaserver1 ~]# wbinfo -n "ADEXAMPLE\linux$"
S-1-5-21-2887728911-2909484380-3974070232-1104 SID_USER (1)
[root at ipaserver1 ~]# wbinfo -n "ADEXAMPLE\daniel"
S-1-5-21-2887728911-2909484380-3974070232-1105 SID_USER (1)

*But kinit with AD users failed:*

[root at ipaserver1 ~]# kinit Genadi at ADEXAMPLE.COM
kinit: Cannot resolve servers for KDC in realm "ADEXAMPLE.COM" while
getting initial credentials

*But after few minutes i was able to to kinit with AD users agian:*

[root at ipaserver1 ~]# kinit Genadi at ADEXAMPLE.COM
Password for Genadi at ADEXAMPLE.COM:

I think i was too fast on making conclusions.
Not sure if opening a bug is needed.



2014-02-21 17:38 GMT+02:00 Simo Sorce <simo at redhat.com>:

> On Fri, 2014-02-21 at 00:27 +0200, Genadi Postrilko wrote:
> > Update:
> > For some reason the AD server has rebooted himself.
> > After the reboot i couldn't preform kinit with AD users.
> > I found a bugzilla that describes the symptoms that i experienced :
> > https://bugzilla.redhat.com/show_bug.cgi?id=878564
> > Not sure if it is the same bug - the bugzilla reports bug in
> > samba4-4.0.0-48.el6.rc4.x86_64
> > while my version is samba4-4.0.0-58.el6.rc4.x86_64 (after downgrade).
> >
> > I have rebooted the IPA server to see if it changes anything.
> > After the reboot i was able to kinit with AD users, but not only that -
> now
> > i am able to
> > login with AD users to client machines.
> >
> > Any idea on what just happened?
>
> Sounds like a bug in windbindd which we currently use to talk to the
> Windows DCs for this functionality.
> Apparently winbindd failed to detect the DC came back online.
> A restart of the ipa server caused winbindd to restart and retry to get
> online.
>
> Can you please open a bug to track this issue ?
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140221/8804833c/attachment.htm>

More information about the Freeipa-users mailing list