[Freeipa-users] FreeIPA Active directory Integration: ipa "unknown command trustdomain-fetch"

Alexander Bokovoy abokovoy at redhat.com
Thu Sep 11 13:38:01 UTC 2014 

On Thu, 11 Sep 2014, Traiano Welcome wrote:
>Hi List
>
>I'm currently working through the IPAv3 AD integration document at:
>
>http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup
>
>
>I've managed to establish a trust between the IdM and the AD server.
>However, when I run the command:
>
>---
>[root at kwtpocidm001 ~]# ipa trustdomain-fetch "mhatest.local"
>ipa: ERROR: unknown command 'trustdomain-fetch'
>---
>
>It would appear the  'trustdomain-fetch' command is not present anymore or
>has been replaced with something else?
No, it was my mistake when I expanded the wiki few days ago. ;)

# ipa trust 2>&1|grep '  trust'
  trust-add            Add new trust to use.
  trust-del            Delete a trust.
  trust-fetch-domains  Refresh list of the domains associated with the trust
  trust-find           Search for trusts.
  trust-mod            Modify a trust (for future use).
  trust-show           Display information about a trust.
  trustconfig-mod      Modify global trust configuration.
  trustconfig-show     Show global trust configuration.
  trustdomain-del      Remove infromation about the domain associated with the trust.
  trustdomain-disable  Disable use of IPA resources by the domain of the trust
  trustdomain-enable   Allow use of IPA resources by the domain of the trust
  trustdomain-find     Search domains of the trust

I fixed the page to use proper one -- trust-fetch-domains.

>I speculate it's this:
>
>---
>[root at kwtpocidm001 ~]# ipa trust-fetch-domains "mhatest.local"
>ipa: ERROR: AD domain controller complains about communication sequence. It
>may mean unsynchronized time on both sides, for example
>---
>
>Is this correct?
>
>
>If indeed "trust-fetch-domains" is the correct command, then .w.r.t this
>error message:
>
>"ipa: ERROR: AD domain controller complains about communication sequence.
>It may mean unsynchronized time on both sides, for example"
>
>a) Checked the time synch on the AD server and the RHEL 7 IdM server and
>it's fine.
Check time zone. I've seen many times that time zone on test Windows
installs is set to PDT while your actual zone might be something
different; thus it gets out of sync.

>b) Here's a snippet around the error when running ipa with "-d":
This one is not usable. You need to enable debugging on the server side.
See http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Debugging_trust
in the part where it talks about /usr/share/ipa/smb.conf.empty.

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list