[Freeipa-users] AD trust showing offline after reboot
Supratik Goswami
supratiksekhar at gmail.com
Mon May 19 10:59:24 UTC 2014
Hi
Let me start from the beginning once again. Let me explain you what steps I
followed during the setup.
I am setting up the environment in Amazon AWS, both Windows AD server and
Linux IPA configured in EC2.
For configuring Windows 2008 I selected
Windows_Server-2008-R2_SP1-English-64Bit-Base-2014.04.09 (ami-df8e93b6)
and for configuring IPA server I selected CentOS 6.5 (x86_64) - Release
Media (ami-8997afe0).
I followed the steps from
http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup and also kept the
domain names
similar as in the example.
IPA server hostname: ipaserver
IPA domain: ipadomain.example.com
IPA NetBIOS: IPADOMAIN
AD DC hostname: adserver
AD domain: addomain.example.com
AD NetBIOS: ADDOMAIN
1. Updated the system and install the packages.
# yum update -y
# yum install -y "*ipa-server" "*ipa-server-trust-ad"
samba4-winbind-clients samba4-winbind samba4-client bind bind-dyndb-ldap
List of important packages installed during the update are as follows.
bind x86_64 32:9.8.2-0.23.rc1.el6_5.1
bind-dyndb-ldap x86_64 2.3-5.el6
ipa-server x86_64 3.0.0-37.el6
ipa-server-trust-ad x86_64 3.0.0-37.el6
ipa-admintools x86_64 3.0.0-37.el6
ipa-client x86_64 3.0.0-37.el6
ipa-pki-ca-theme noarch 9.0.3-7.el6
ipa-pki-common-theme noarch 9.0.3-7.el6
ipa-python x86_64 3.0.0-37.el6
ipa-server-selinux x86_64 3.0.0-37.el6
samba4-client x86_64 4.0.0-61.el6_5.rc4
samba4-winbind x86_64 4.0.0-61.el6_5.rc4
samba4-winbind-clients x86_64 4.0.0-61.el6_5.rc4
samba4 x86_64 4.0.0-61.el6_5.rc4
samba4-common x86_64 4.0.0-61.el6_5.rc4
samba4-libs x86_64 4.0.0-61.el6_5.rc4
samba4-python x86_64 4.0.0-61.el6_5.rc4
389-ds-base x86_64 1.2.11.15-32.el6_5
389-ds-base-libs x86_64 1.2.11.15-32.el6_5
certmonger x86_64 0.61-3.el6
krb5-server x86_64 1.10.3-15.el6_5.1
krb5-workstation x86_64 1.10.3-15.el6_5.1
sssd x86_64 1.9.2-129.el6_5.4
sssd-client x86_64 1.9.2-129.el6_5.4
2. System details
[root at ipaserver ~]# hostname
ipaserver.ipadomain.example.com
[root at ipaserver ~]# cat /etc/issue
CentOS release 6.5 (Final)
Kernel \r on an \m
[root at ipaserver ~]# uname -a
Linux ipaserver.ipadomain.example.com 2.6.32-431.17.1.el6.x86_64 #1 SMP Wed
May 7 23:32:49 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
[root at ipaserver ~]# cat /etc/hosts
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
10.21.0.121 ipaserver.ipadomain.example.com ipaserver
3. Install IPA server
[root at ipaserver ~]# ipa-server-install --domain=ipadomain.example.com--realm=
IPADOMAIN.EXAMPLE.COM --setup-dns --no-forwarders
The IPA Master Server will be configured with:
Hostname: ipaserver.ipadomain.example.com
IP address: 10.21.0.121
Domain name: ipadomain.example.com
Realm name: IPADOMAIN.EXAMPLE.COM
BIND DNS server will be configured to serve IPA domain with:
Forwarders: No forwarders
Reverse zone: 0.21.10.in-addr.arpa.
...
...
The install was successful and no errors during the installation.
4. Login as admin and verify IPA users are available to the system service
[root at ipaserver ~]# kinit admin
Password for admin at IPADOMAIN.EXAMPLE.COM:
[root at ipaserver ~]# id admin
uid=189600000(admin) gid=189600000(admins) groups=189600000(admins)
[root at ipaserver ~]# getent passwd admin
admin:*:189600000:189600000:Administrator:/home/admin:/bin/bash
5. Configure IPA server for cross-realm trust.
[root at ipaserver ~]# ipa-adtrust-install --netbios-name=IPADOMAIN
The log file for this installation can be found in
/var/log/ipaserver-install.log
==============================================================================
This program will setup components needed to establish trust to AD domains
for
the FreeIPA Server.
This includes:
* Configure Samba
* Add trust related objects to FreeIPA LDAP server
...
...
All completed successfully.
6. I disabled the firewalls and also during the boot up.
[root at ipaserver ~]# chkconfig --list iptables
iptables 0:off 1:off 2:off 3:off 4:off 5:off 6:off
7. DNS configuration
On windows:
C:\Windows\system32>dnscmd 127.0.0.1 /ZoneAdd
ipadomain.example.com/Forwarder 10.21.0.121
DNS Server 127.0.0.1 created zone ipadomain.example.com:
Command completed successfully.
On Linux:
[root at ipaserver ~]# ipa dnszone-add addomain.example.com --name-server=
adserver.addomain.example.com --admin-email='hostmaster at addomain.example.com'
--force --forwarder=10.21.0.231 --forward-policy=only
--ip-address=10.21.0.231
Zone name: addomain.example.com
Authoritative nameserver: adserver.addomain.example.com
Administrator e-mail address: hostmaster.addomain.example.com.
SOA serial: 1400486308
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
BIND update policy: grant IPADOMAIN.EXAMPLE.COM krb5-self * A; grant
IPADOMAIN.EXAMPLE.COM krb5-self * AAAA; grant
IPADOMAIN.EXAMPLE.COMkrb5-self * SSHFP;
Active zone: TRUE
Dynamic update: FALSE
Allow query: any;
Allow transfer: none;
Zone forwarders: 10.21.0.231
Forward policy: only
Verify DNS configuration:
In Windows AD:-
C:\Windows\system32>nslookup
Default Server: localhost
Address: 127.0.0.1
> set type=SRV
> _ldap._tcp.addomain.example.com
Server: localhost
Address: 127.0.0.1
_ldap._tcp.addomain.example.com SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = adserver.addomain.example.com
adserver.addomain.example.com internet address = 10.21.0.231
> _ldap._tcp.ipadomain.example.com
Server: localhost
Address: 127.0.0.1
Non-authoritative answer:
_ldap._tcp.ipadomain.example.com SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = ipaserver.ipadomain.example.com
ipaserver.ipadomain.example.com internet address = 10.21.0.121
> quit
In Linux IPA:-
[root at ipaserver ~]# dig SRV _ldap._tcp.addomain.example.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> SRV _ldap._
tcp.addomain.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40705
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;_ldap._tcp.addomain.example.com. IN SRV
;; ANSWER SECTION:
_ldap._tcp.addomain.example.com. 588 IN SRV 0 100 389
adserver.addomain.example.com.
;; ADDITIONAL SECTION:
adserver.addomain.example.com. 3588 IN A 10.21.0.231
;; Query time: 0 msec
;; SERVER: 10.21.0.121#53(10.21.0.121)
;; WHEN: Mon May 19 08:02:20 2014
;; MSG SIZE rcvd: 114
[root at ipaserver ~]# dig SRV _ldap._tcp.ipadomain.example.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> SRV _ldap._
tcp.ipadomain.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63334
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;_ldap._tcp.ipadomain.example.com. IN SRV
;; ANSWER SECTION:
_ldap._tcp.ipadomain.example.com. 86400 IN SRV 0 100 389
ipaserver.ipadomain.example.com.
;; AUTHORITY SECTION:
ipadomain.example.com. 86400 IN NS ipaserver.ipadomain.example.com.
;; ADDITIONAL SECTION:
ipaserver.ipadomain.example.com. 1200 IN A 10.21.0.121
;; Query time: 1 msec
;; SERVER: 10.21.0.121#53(10.21.0.121)
;; WHEN: Mon May 19 08:02:44 2014
;; MSG SIZE rcvd: 131
8. Add trust with AD domain
[root at ipaserver ~]# ipa trust-add --type=ad addomain.example.com --admin
Administrator --password
Active directory domain administrator's password:
-------------------------------------------------------------
Added Active Directory trust for realm "addomain.example.com"
-------------------------------------------------------------
Realm name: addomain.example.com
Domain NetBIOS name: ADDOMAIN
Domain Security Identifier: S-1-5-21-2212595442-2951398754-4232868618
Trust direction: Two-way trust
Trust type: Active Directory domain
Trust status: Established and verified
9. Updated kerberos configuration.
[root at ipaserver ~]# cat /etc/krb5.conf
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = IPADOMAIN.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
IPADOMAIN.EXAMPLE.COM = {
kdc = ipaserver.ipadomain.example.com:88
master_kdc = ipaserver.ipadomain.example.com:88
admin_server = ipaserver.ipadomain.example.com:749
default_domain = ipadomain.example.com
pkinit_anchors = FILE:/etc/ipa/ca.crt
auth_to_local = RULE:[1:$1@$0](^.*@ADDOMAIN.EXAMPLE.COM$)s/@
ADDOMAIN.EXAMPLE.COM/@addomain.example.com/
auth_to_local = DEFAULT
}
[domain_realm]
.ipadomain.example.com = IPADOMAIN.EXAMPLE.COM
ipadomain.example.com = IPADOMAIN.EXAMPLE.COM
[dbmodules]
IPADOMAIN.EXAMPLE.COM = {
db_library = ipadb.so
}
10. Allow AD users to access resources in IPA domain
[root at ipaserver ~]# ipa group-add --desc='addomain.example.com admins
external map' ad_admins_external --external
--------------------------------
Added group "ad_admins_external"
--------------------------------
Group name: ad_admins_external
Description: addomain.example.com admins external map
[root at ipaserver ~]# ipa group-add --desc='addomain.example.com admins'
ad_admins
-----------------------
Added group "ad_admins"
-----------------------
Group name: ad_admins
Description: addomain.example.com admins
GID: 189600004
[root at ipaserver ~]# ipa group-add-member ad_admins_external --external
'ADDOMAIN\Domain Admins'
[member user]:
[member group]:
Group name: ad_admins_external
Description: addomain.example.com admins external map
External member: S-1-5-21-2212595442-2951398754-4232868618-512
-------------------------
Number of members added 1
-------------------------
[root at ipaserver ~]# ipa group-add-member ad_admins --groups
ad_admins_external
Group name: ad_admins
Description: addomain.example.com admins
GID: 189600004
Member groups: ad_admins_external
-------------------------
Number of members added 1
-------------------------
11. Verifying trust
[root at ipaserver ~]# wbinfo -n 'ADDOMAIN\Domain Admins'
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name ADDOMAIN\Domain Admins
[root at ipaserver ~]# wbinfo -u
[root at ipaserver ~]# ipa trust-find
---------------
1 trust matched
---------------
Realm name: addomain.example.com
Domain NetBIOS name: ADDOMAIN
Domain Security Identifier: S-1-5-21-2212595442-2951398754-4232868618
Trust type: Active Directory domain
----------------------------
Number of entries returned 1
----------------------------
[root at ipaserver ~]# ipa trust-show
Realm name: ADDOMAIN.EXAMPLE.COM
Realm name: addomain.example.com
Domain NetBIOS name: ADDOMAIN
Domain Security Identifier: S-1-5-21-2212595442-2951398754-4232868618
Trust direction: Two-way trust
Trust type: Active Directory domain
Please note the error message while verifying trust. I am stuck completely
and not having any clue as why the setup is not working as expected.
Any help in fixing this problem would be appreciated.
On Fri, May 16, 2014 at 7:26 PM, Supratik Goswami
<supratiksekhar at gmail.com>wrote:
> The IP 10.255.0.4 belongs to the Windows 2008 R2 system running AD DC.
> I disabled the firewall but still the problem is there :-(
>
>
> On Fri, May 16, 2014 at 7:14 PM, Sumit Bose <sbose at redhat.com> wrote:
>
>> On Fri, May 16, 2014 at 04:29:33PM +0530, Supratik Goswami wrote:
>> > Yes DNS is working fine and is able to return the IP address of the AD
>> > server.
>> >
>> > [root at master samba]# dig SRV _ldap._tcp.ad.idm.example.com
>> >
>> > ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> SRV _ldap._
>> > tcp.ad.idm.example.com
>> > ;; global options: +cmd
>> > ;; Got answer:
>> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29147
>> > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>> >
>> > ;; QUESTION SECTION:
>> > ;_ldap._tcp.ad.idm.example.com. IN SRV
>> >
>> > ;; ANSWER SECTION:
>> > _ldap._tcp.ad.idm.example.com. 600 IN SRV 0 100 389
>> > master.ad.idm.example.com.
>> >
>> > ;; ADDITIONAL SECTION:
>> > master.ad.idm.example.com. 3600 IN A 10.255.0.4
>> >
>> > ;; Query time: 1 msec
>> > ;; SERVER: 10.255.0.4#53(10.255.0.4)
>> > ;; WHEN: Fri May 16 10:46:23 2014
>> > ;; MSG SIZE rcvd: 106
>> >
>> >
>> >
>> > In my case AD is the netbios name of the AD domain. Please find the log
>> > message from the file log.wb-AD.
>> >
>> >
>>
>> ...
>>
>> > [2014/05/16 10:50:37.542420, 5, pid=3305, effective(0, 0), real(0, 0)]
>> > [2014/05/16 10:50:44.451669, 3, pid=3305, effective(0, 0), real(0, 0)]
>> > ../source3/lib/util_sock.c:585(open_socket_out_send)
>> > Connecting to 10.255.0.4 at port 445
>> > [2014/05/16 10:50:44.452793, 3, pid=3305, effective(0, 0), real(0, 0)]
>> > ../source3/libsmb/clidgram.c:333(nbt_getdc_send)
>> > No nmbd found
>> > [2014/05/16 10:50:44.452930, 10, pid=3305, effective(0, 0), real(0, 0)]
>> > ../source3/libsmb/namequery.c:916(name_status_find)
>> > name_status_find: looking up AD#1c at 10.255.0.4
>> > [2014/05/16 10:50:44.453044, 5, pid=3305, effective(0, 0), real(0, 0)]
>> > ../source3/libsmb/namecache.c:299(namecache_status_fetch)
>> > namecache_status_fetch: no entry for NBT/AD#1C.20.10.255.0.4 found.
>> > [2014/05/16 10:50:44.453279, 10, pid=3305, effective(0, 0), real(0, 0)]
>> > ../source3/lib/util_sock.c:499(open_socket_in)
>> > bind succeeded on port 0
>> > [2014/05/16 10:50:44.453449, 10, pid=3305, effective(0, 0), real(0, 0)]
>> > ../source3/libsmb/unexpected.c:546(nb_packet_reader_connected)
>> > async_connect failed: No such file or directory
>> > [2014/05/16 10:50:44.453564, 10, pid=3305, effective(0, 0), real(0, 0)]
>> > ../source3/libsmb/namequery.c:600(nb_trans_got_reader)
>> > nmbd not around
>> > [2014/05/16 10:50:45.454766, 10, pid=3305, effective(0, 0), real(0, 0)]
>> > ../source3/lib/events.c:216(run_events_poll)
>> > Running timed event "tevent_req_timedout" 0x1750470
>> > [2014/05/16 10:50:46.456103, 10, pid=3305, effective(0, 0), real(0, 0)]
>> > ../source3/lib/events.c:216(run_events_poll)
>> > Running timed event "tevent_req_timedout" 0x1750470
>> > [2014/05/16 10:50:47.457451, 10, pid=3305, effective(0, 0), real(0, 0)]
>> > ../source3/lib/events.c:216(run_events_poll)
>> > Running timed event "tevent_req_timedout" 0x1750470
>> > [2014/05/16 10:50:48.458773, 10, pid=3305, effective(0, 0), real(0, 0)]
>> > ../source3/lib/events.c:216(run_events_poll)
>> > Running timed event "tevent_req_timedout" 0x1750470
>> > [2014/05/16 10:50:49.460093, 10, pid=3305, effective(0, 0), real(0, 0)]
>> > ../source3/lib/events.c:216(run_events_poll)
>> > Running timed event "tevent_req_timedout" 0x1750470
>> > [2014/05/16 10:50:50.461420, 10, pid=3305, effective(0, 0), real(0, 0)]
>> > ../source3/lib/events.c:216(run_events_poll)
>> > Running timed event "tevent_req_timedout" 0x1750470
>> > [2014/05/16 10:50:51.462723, 10, pid=3305, effective(0, 0), real(0, 0)]
>> > ../source3/lib/events.c:216(run_events_poll)
>> > Running timed event "tevent_req_timedout" 0x1750470
>> > [2014/05/16 10:50:52.464265, 10, pid=3305, effective(0, 0), real(0, 0)]
>> > ../source3/lib/events.c:216(run_events_poll)
>> > Running timed event "tevent_req_timedout" 0x1750470
>> > [2014/05/16 10:50:53.465546, 10, pid=3305, effective(0, 0), real(0, 0)]
>> > ../source3/lib/events.c:216(run_events_poll)
>> > Running timed event "tevent_req_timedout" 0x1750470
>> > [2014/05/16 10:50:54.455168, 10, pid=3305, effective(0, 0), real(0, 0)]
>> > ../source3/lib/events.c:216(run_events_poll)
>> > Running timed event "tevent_req_timedout" 0x1750590
>> > [2014/05/16 10:50:54.455385, 10, pid=3305, effective(0, 0), real(0, 0)]
>> > ../source3/libsmb/namequery.c:962(name_status_find)
>> > name_status_find: name not found
>> > [2014/05/16 10:50:54.455497, 10, pid=3305, effective(0, 0), real(0, 0),
>> > class=tdb] ../source3/lib/gencache.c:179(gencache_set_data_blob)
>> > Adding cache entry with key = NEG_CONN_CACHE/AD,10.255.0.4 and
>> timeout =
>> > Fri May 16 10:51:54 2014
>> > (60 seconds ahead)
>> > [2014/05/16 10:50:54.455739, 9, pid=3305, effective(0, 0), real(0, 0)]
>> > ../source3/libsmb/conncache.c:189(add_failed_connection_entry)
>> > add_failed_connection_entry: added domain AD (10.255.0.4) to failed
>> conn
>> > cache
>>
>> > class=tdb] ../source3/lib/gencache.c:246(gencache_del)
>> > Deleting cache entry (key = SAFJOIN/DOMAIN/AD)
>> > [2014/05/16 10:50:54.455967, 10, pid=3305, effective(0, 0), real(0, 0),
>> > class=tdb] ../source3/lib/gencache.c:246(gencache_del)
>> > Deleting cache entry (key = SAF/DOMAIN/AD)
>> > [2014/05/16 10:50:54.456078, 10, pid=3305, effective(0, 0), real(0, 0),
>> > class=tdb] ../source3/lib/gencache.c:179(gencache_set_data_blob)
>> > Adding cache entry with key = NEG_CONN_CACHE/ad.idm.example.com
>> ,10.255.0.4
>> > and timeout = Fri May 16 10:51:54 2014
>> > (60 seconds ahead)
>> > [2014/05/16 10:50:54.456236, 9, pid=3305, effective(0, 0), real(0, 0)]
>> > ../source3/libsmb/conncache.c:189(add_failed_connection_entry)
>> > add_failed_connection_entry: added domain ad.idm.example.com(10.255.0.4)
>> > to failed conn cache
>> > [2014/05/16 10:50:54.456330, 10, pid=3305, effective(0, 0), real(0, 0),
>> > class=tdb] ../source3/lib/gencache.c:246(gencache_del)
>>
>> looks like the connection to 10.255.0.4 timed out after 10 seconds. Is
>> there a firewall which might drop the packets?
>>
>> bye,
>> Sumit
>>
>
>
>
> --
> Warm Regards
>
> Supratik
>
--
Warm Regards
Supratik
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140519/c959799f/attachment.htm>
More information about the Freeipa-users
mailing list