[Freeipa-users] FreeIPA 4 AD Integration issue
Aric Wilisch
awilisch at gmail.com
Tue Apr 7 14:04:28 UTC 2015
Hey all, I’m having a problem with integrating a FreeIPA4 infrastructure to an AD environment.
AD Domain is fioptics.int
FreeIPA infrastructure is preprod.fioptics.int
The AD Controller in this environment is at 10.32.145.134
The FreeIPA 4 server is at 10.32.146.40
I’m attaching the procedure that I’m using below for review. Everything works perfectly, even the DNS testing, up until I run the command to initiate the trust. Then it ALWAYS c comes back with unable to find server. The DNS tests I’ve done from AD and from IPA are also listed below.
This procedure works flawlessly in the virtual test environment every time. There are NO firewalls between the IPA box and the AD box. Software firewalls on both boxes are down. Selinux is disabled. The only differences are 1. They are on different subnets but I don’t see how that should matter, and 2. There is a load balancer between them, but again DNS resolves and a nmap shows all the necessary ports are available.
If anyone has any advice it would be greatly appreciated. I have to get this working asap for the deployment of the project.
Thanks in advance.
—————————
DNS Results
—————————
Active Directory —
Server: ppad01.fioptics.int
Address: 10.32.145.134
_ldap._tcp.fioptics.int SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = mtad01.fioptics.int
_ldap._tcp.fioptics.int SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = ppad01.fioptics.int
_ldap._tcp.fioptics.int SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = p1ad01.fioptics.int
_ldap._tcp.fioptics.int SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = mtad02.fioptics.int
_ldap._tcp.fioptics.int SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = stad01.fioptics.int
mtad01.fioptics.int internet address = 10.32.162.182
ppad01.fioptics.int internet address = 10.32.145.134
p1ad01.fioptics.int internet address = 10.32.129.134
mtad02.fioptics.int internet address = 10.32.130.182
stad01.fioptics.int internet address = 10.32.161.134
> _ldap._tcp.preprod.fioptics.int
Server: ppad01.fioptics.int
Address: 10.32.145.134
Non-authoritative answer:
_ldap._tcp.preprod.fioptics.int SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = ppip01.preprod.fioptics.int
_ldap._tcp.preprod.fioptics.int SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = ppip02.preprod.fioptics.int
ppip01.preprod.fioptics.int internet address = 10.32.146.40
ppip01.preprod.fioptics.int internet address = 10.32.146.40
>
————
FreeIPA
————
[root at ppip01 ~]# dig srv _ldap._tcp.fioptics.int
; <<>> DiG 9.9.4-RedHat-9.9.4-20.el7.centos.pkcs11 <<>> srv _ldap._tcp.fioptics.int
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26858
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 13, ADDITIONAL: 6
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_ldap._tcp.fioptics.int. IN SRV
;; ANSWER SECTION:
_ldap._tcp.fioptics.int. 600 IN SRV 0 100 389 p1ad01.fioptics.int.
_ldap._tcp.fioptics.int. 600 IN SRV 0 100 389 stad01.fioptics.int.
_ldap._tcp.fioptics.int. 600 IN SRV 0 100 389 ppad01.fioptics.int.
_ldap._tcp.fioptics.int. 600 IN SRV 0 100 389 mtad02.fioptics.int.
_ldap._tcp.fioptics.int. 600 IN SRV 0 100 389 mtad01.fioptics.int.
;; AUTHORITY SECTION:
. 11558 IN NS g.root-servers.net.
. 11558 IN NS e.root-servers.net.
. 11558 IN NS i.root-servers.net.
. 11558 IN NS f.root-servers.net.
. 11558 IN NS a.root-servers.net.
. 11558 IN NS c.root-servers.net.
. 11558 IN NS j.root-servers.net.
. 11558 IN NS k.root-servers.net.
. 11558 IN NS h.root-servers.net.
. 11558 IN NS l.root-servers.net.
. 11558 IN NS d.root-servers.net.
. 11558 IN NS b.root-servers.net.
. 11558 IN NS m.root-servers.net.
;; ADDITIONAL SECTION:
ppad01.fioptics.int. 3057 IN A 10.32.145.134
p1ad01.fioptics.int. 3600 IN A 10.32.129.134
mtad02.fioptics.int. 3600 IN A 10.32.130.182
stad01.fioptics.int. 3600 IN A 10.32.161.134
mtad01.fioptics.int. 3600 IN A 10.32.162.182
;; Query time: 1 msec
;; SERVER: 10.32.146.40#53(10.32.146.40)
;; WHEN: Tue Apr 07 09:56:29 EDT 2015
;; MSG SIZE rcvd: 538
[root at ppip01 ~]# dig srv _ldap._tcp.preprod.fioptics.int
; <<>> DiG 9.9.4-RedHat-9.9.4-20.el7.centos.pkcs11 <<>> srv _ldap._tcp.preprod.fioptics.int
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28466
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_ldap._tcp.preprod.fioptics.int. IN SRV
;; ANSWER SECTION:
_ldap._tcp.preprod.fioptics.int. 86400 IN SRV 0 100 389 ppip02.preprod.fioptics.int.
_ldap._tcp.preprod.fioptics.int. 86400 IN SRV 0 100 389 ppip01.preprod.fioptics.int.
;; AUTHORITY SECTION:
preprod.fioptics.int. 86400 IN NS ppip02.preprod.fioptics.int.
preprod.fioptics.int. 86400 IN NS ppip01.preprod.fioptics.int.
;; ADDITIONAL SECTION:
ppip01.preprod.fioptics.int. 1200 IN A 10.32.146.40
ppip02.preprod.fioptics.int. 1200 IN A 10.32.146.41
;; Query time: 0 msec
;; SERVER: 10.32.146.40#53(10.32.146.40)
;; WHEN: Tue Apr 07 09:56:44 EDT 2015
;; MSG SIZE rcvd: 214
[root at ppip01 ~]#
————————————————————
Error Message
————————————————————
[root at ppip01 ~]# ipa trust-add --type=ad fioptics.int --server=ppad01.fioptics.int --admin serviceipa --password
Active Directory domain administrator's password:
ipa: ERROR: Cannot find specified domain or server name
[root at ppip01 ~]#
* Note - I have tried this with the Administrator account and that didn’t work either.
Regards,
------------------------------------------
Aric Wilisch
awilisch at gmail.com
More information about the Freeipa-users
mailing list