[Freeipa-users] FreeIPA Active directory Integration: ipa "unknown command trustdomain-fetch"

Traiano Welcome traiano at gmail.com
Thu Sep 11 16:31:27 UTC 2014 

On Thu, Sep 11, 2014 at 6:06 PM, Traiano Welcome <traiano at gmail.com> wrote:

> Hi Alexander
>
>
>
> On Thu, Sep 11, 2014 at 4:38 PM, Alexander Bokovoy <abokovoy at redhat.com>
> wrote:
>
>> On Thu, 11 Sep 2014, Traiano Welcome wrote:
>>
>>> Hi List
>>>
>>> I'm currently working through the IPAv3 AD integration document at:
>>>
>>> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup
>>>
>>>
>>> I've managed to establish a trust between the IdM and the AD server.
>>> However, when I run the command:
>>>
>>> ---
>>> [root at kwtpocidm001 ~]# ipa trustdomain-fetch "mhatest.local"
>>> ipa: ERROR: unknown command 'trustdomain-fetch'
>>> ---
>>>
>>> It would appear the  'trustdomain-fetch' command is not present anymore
>>> or
>>> has been replaced with something else?
>>>
>> No, it was my mistake when I expanded the wiki few days ago. ;)
>>
>> # ipa trust 2>&1|grep '  trust'
>>  trust-add            Add new trust to use.
>>  trust-del            Delete a trust.
>>  trust-fetch-domains  Refresh list of the domains associated with the
>> trust
>>  trust-find           Search for trusts.
>>  trust-mod            Modify a trust (for future use).
>>  trust-show           Display information about a trust.
>>  trustconfig-mod      Modify global trust configuration.
>>  trustconfig-show     Show global trust configuration.
>>  trustdomain-del      Remove infromation about the domain associated with
>> the trust.
>>  trustdomain-disable  Disable use of IPA resources by the domain of the
>> trust
>>  trustdomain-enable   Allow use of IPA resources by the domain of the
>> trust
>>  trustdomain-find     Search domains of the trust
>>
>> I fixed the page to use proper one -- trust-fetch-domains.
>>
>>
>
> Excellent. Thanks.
>
>
>
>
>
>
>>  I speculate it's this:
>>>
>>> ---
>>> [root at kwtpocidm001 ~]# ipa trust-fetch-domains "mhatest.local"
>>> ipa: ERROR: AD domain controller complains about communication sequence.
>>> It
>>> may mean unsynchronized time on both sides, for example
>>> ---
>>>
>>> Is this correct?
>>>
>>>
>>> If indeed "trust-fetch-domains" is the correct command, then .w.r.t this
>>> error message:
>>>
>>> "ipa: ERROR: AD domain controller complains about communication sequence.
>>> It may mean unsynchronized time on both sides, for example"
>>>
>>> a) Checked the time synch on the AD server and the RHEL 7 IdM server and
>>> it's fine.
>>>
>> Check time zone. I've seen many times that time zone on test Windows
>> installs is set to PDT while your actual zone might be something
>> different; thus it gets out of sync.
>>
>>
>
> Timezones appear synced/the same:
>
>  - IPA server: Thu Sep 11 18:01:58 AST 2014
>  - Windows AD server:Thursday, ‎September ‎11, ‎2014,  6:02:10 PM  TZ:
> (UTC+03:00) Kuwait, Riyadh
>
>


Just to confirm they're both in sync, I've set the IdM server to use the AD
DC as an ntp service:

---
[root at kwtpocidm001 ~]# ntpdate -u 172.16.107.109
11 Sep 19:29:11 ntpdate[2736]: adjust time server 172.16.107.109 offset
-0.146107 sec
---











>
>
>
>
>>  b) Here's a snippet around the error when running ipa with "-d":
>>>
>> This one is not usable. You need to enable debugging on the server side.
>> See http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#
>> Debugging_trust
>> in the part where it talks about /usr/share/ipa/smb.conf.empty.
>>
>>
>
> I've attached the debug logs, I'd be thankful if you could find anything
> in them!
>
>
>> --
>> / Alexander Bokovoy
>>
>
> Traiano Welcome
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140911/a1f21c6c/attachment.htm>

More information about the Freeipa-users mailing list