[Freeipa-users] AD Trust - Cannot resolve servers for KDC after reboot

Wed Sep 17 17:08:34 UTC 2014

I have configured the DNS with the AD as a forwarder (ipa-server-install
--forwarder), just as explaine in RHEL 7 Windows Integration guide - 5.3.1.
Setting up Trust with IdM as a DNS Subdomain of Active Directory.

To use KRB5_TRACE ill need to recreate the issue.

2014-09-16 10:28 GMT+03:00 Sumit Bose <sbose at redhat.com>:

> On Tue, Sep 16, 2014 at 01:39:41AM +0300, Genadi Postrilko wrote:
> > Hello all !
> >
> > I have deployed test environment for AD trust feature, the environment
> > contains :
> > Windows Server 2008 - AD Server.
> > RHEL 7 - IPA 3.3 Server.
> > RHEL  6.2 - IPA Client.
> >
> > I have established the trust as IPA in the sub domain of AD.
> > AD DNS domain - blue.com
> > IPA DNS domain - linux.blue.com
> >
> > All was working fine as i was able to kinit with AD users:
> >
> > [root at ipaserver1 ~]# kinit Yoni at BLUE.COM
> > Password for Yoni at BLUE.COM:
> >
> > [root at ipaserver1 ~]# klist
> > Ticket cache: KEYRING:persistent:0:krb_ccache_oi15FrE
> > Default principal: Yoni at BLUE.COM
> >
> > Valid starting       Expires              Service principal
> > 09/16/2014 01:00:25  09/16/2014 11:00:25  krbtgt/BLUE.COM at BLUE.COM
> >         renew until 09/17/2014 01:00:20
> >
> > But after i rebooted the Windows Server Machine, i could not kinit with
> AD
> > users anymore:
> > [root at ipaserver1 ~]# kinit Yoni at BLUE.COM
> > kinit:  Cannot resolve servers for KDC in realm "BLUE.COM" while getting
> > initial
>
> The only IPA component used for kinit is the DNS server. How did you
> configure DNS (glue records? forwarder?). To get more details about what
> is failing you can call:
>
> KRB5_TRACE=/dev/stdout kinit Yoni at BLUE.COM
>
> HTH
>
> bye,
> Sumit
>
> >
> > I have checked if all the IPA services where UP:
> >
> > [root at ipaserver1 ~]# ipactl status
> > Directory Service: RUNNING
> > krb5kdc Service: RUNNING
> > kadmin Service: RUNNING
> > named Service: RUNNING
> > ipa_memcached Service: RUNNING
> > httpd Service: RUNNING
> > pki-tomcatd Service: RUNNING
> > smb Service: RUNNING
> > winbind Service: RUNNING
> > ipa-otpd Service: RUNNING
> > ipa: INFO: The ipactl command was successful
> >
> > After i restarted IPA services (ipactl restart), i was able to to kinit
> > again.
> > Restarting smb service would do the job as well (?).
> >
> > Just wanted to know if it is a know issue, or the AD should be re
> > discovered if it reboots.
> > I think i seen an issue about it in the mailing list some time ago (not
> > sure).
> >
> > I did not increase the debug level and got the logs.
> > But i can share the ipa and sssd version:
> >
> > rpm -qa | grep ipa
> > ipa-server-3.3.3-28.el7_0.1.x86_64
> > python-iniparse-0.4-9.el7.noarch
> > libipa_hbac-1.11.2-68.el7_0.5.x86_64
> > ipa-admintools-3.3.3-28.el7_0.1.x86_64
> > ipa-server-trust-ad-3.3.3-28.el7_0.1.x86_64
> > ipa-python-3.3.3-28.el7_0.1.x86_64
> > sssd-ipa-1.11.2-68.el7_0.5.x86_64
> > iniparser-3.1-5.el7.x86_64
> > libipa_hbac-python-1.11.2-68.el7_0.5.x86_64
> > ipa-client-3.3.3-28.el7_0.1.x86_64
> >
> > rpm -qa | grep sssd
> > sssd-krb5-common-1.11.2-68.el7_0.5.x86_64
> > sssd-ldap-1.11.2-68.el7_0.5.x86_64
> > sssd-common-1.11.2-68.el7_0.5.x86_64
> > sssd-common-pac-1.11.2-68.el7_0.5.x86_64
> > sssd-ad-1.11.2-68.el7_0.5.x86_64
> > sssd-krb5-1.11.2-68.el7_0.5.x86_64
> > sssd-1.11.2-68.el7_0.5.x86_64
> > python-sssdconfig-1.11.2-68.el7_0.5.noarch
> > sssd-ipa-1.11.2-68.el7_0.5.x86_64
> > sssd-proxy-1.11.2-68.el7_0.5.x86_64
> > sssd-client-1.11.2-68.el7_0.5.x86_64
> >
> >  Thanks for all the helpers.
>
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go To http://freeipa.org for more info on the project
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140917/dc4faf2b/attachment.htm>