[Freeipa-users] FreeIPA Active directory Integration: ipa "unknown command trustdomain-fetch"

Traiano Welcome traiano at gmail.com
Thu Sep 11 15:06:50 UTC 2014 

Hi Alexander



On Thu, Sep 11, 2014 at 4:38 PM, Alexander Bokovoy <abokovoy at redhat.com>
wrote:

> On Thu, 11 Sep 2014, Traiano Welcome wrote:
>
>> Hi List
>>
>> I'm currently working through the IPAv3 AD integration document at:
>>
>> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup
>>
>>
>> I've managed to establish a trust between the IdM and the AD server.
>> However, when I run the command:
>>
>> ---
>> [root at kwtpocidm001 ~]# ipa trustdomain-fetch "mhatest.local"
>> ipa: ERROR: unknown command 'trustdomain-fetch'
>> ---
>>
>> It would appear the  'trustdomain-fetch' command is not present anymore or
>> has been replaced with something else?
>>
> No, it was my mistake when I expanded the wiki few days ago. ;)
>
> # ipa trust 2>&1|grep '  trust'
>  trust-add            Add new trust to use.
>  trust-del            Delete a trust.
>  trust-fetch-domains  Refresh list of the domains associated with the trust
>  trust-find           Search for trusts.
>  trust-mod            Modify a trust (for future use).
>  trust-show           Display information about a trust.
>  trustconfig-mod      Modify global trust configuration.
>  trustconfig-show     Show global trust configuration.
>  trustdomain-del      Remove infromation about the domain associated with
> the trust.
>  trustdomain-disable  Disable use of IPA resources by the domain of the
> trust
>  trustdomain-enable   Allow use of IPA resources by the domain of the trust
>  trustdomain-find     Search domains of the trust
>
> I fixed the page to use proper one -- trust-fetch-domains.
>
>

Excellent. Thanks.






>  I speculate it's this:
>>
>> ---
>> [root at kwtpocidm001 ~]# ipa trust-fetch-domains "mhatest.local"
>> ipa: ERROR: AD domain controller complains about communication sequence.
>> It
>> may mean unsynchronized time on both sides, for example
>> ---
>>
>> Is this correct?
>>
>>
>> If indeed "trust-fetch-domains" is the correct command, then .w.r.t this
>> error message:
>>
>> "ipa: ERROR: AD domain controller complains about communication sequence.
>> It may mean unsynchronized time on both sides, for example"
>>
>> a) Checked the time synch on the AD server and the RHEL 7 IdM server and
>> it's fine.
>>
> Check time zone. I've seen many times that time zone on test Windows
> installs is set to PDT while your actual zone might be something
> different; thus it gets out of sync.
>
>

Timezones appear synced/the same:

 - IPA server: Thu Sep 11 18:01:58 AST 2014
 - Windows AD server:Thursday, ‎September ‎11, ‎2014,  6:02:10 PM  TZ:
(UTC+03:00) Kuwait, Riyadh





>  b) Here's a snippet around the error when running ipa with "-d":
>>
> This one is not usable. You need to enable debugging on the server side.
> See http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Debugging_trust
> in the part where it talks about /usr/share/ipa/smb.conf.empty.
>
>

I've attached the debug logs, I'd be thankful if you could find anything in
them!


> --
> / Alexander Bokovoy
>

Traiano Welcome
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140911/8952358a/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: debug_data.tar.gz
Type: application/x-gzip
Size: 492663 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140911/8952358a/attachment.bin>

More information about the Freeipa-users mailing list