[Freeipa-users] ipa: ERROR: AD DC was unable to reach any IPA domain controller --- AD domain controller complains about communication sequence.

Alexander Bokovoy abokovoy at redhat.com
Wed Apr 15 05:03:24 UTC 2015 

On Tue, 14 Apr 2015, g.fer.ordas at unicyber.co.uk wrote:
>Hi
>
>Dealing with AD --> Cert Trust I am reaching the following step:
>
> ipa trust-add  ad.company.com  --admin <user>  --password
>Active Directory domain administrator's password:
>ipa: ERROR: AD DC was unable to reach any IPA domain controller. Most 
>likely it is a DNS or firewall issue
>
>
>Reaching this far I do not know what the issue is .. Nevertheless and 
>before start playing around with the DNS further more....
The issue is what reported above -- at request of IPA DC to validate the
trust, AD DC tried to resolve IPA DC via SRV records and then tried to
contact its Samba instance on its own to complete validation of the
trust. Either step might fail, after which AD DC would report back to
IPA DC that it was unable to reach it.

This diagnostics wasn't added for nothing, you need to trust it. :)

>
>
>if I run the following it seems to successfully establish the trust by 
>the IPA side of the business
>
># ipa trust-add --type=ad "ad_domain" --trust-secret
>
>So this part seems find by the look of it..
It works because it does not communicate with AD DCs here, only with
IPA's Samba instance.

>I also had to manually add the AD host and the remote CIFS resource 
>but I am getting instead:
>
>ipa trust-fetch-domains corp.hootsuitemedia.com
>ipa: ERROR: AD domain controller complains about communication 
>sequence. It may mean unsynchronized time on both sides, for example
This doesn't work because AD DC did not complete the trust validation
and cannot trust IPA Kerberos tickets, thus refusing operation.
Unfortunately, reporting in SMB protocol is less than perfect so we only
are able to get guesses at what has happened.

In any case, running trust-fetch-domains makes no sense until you
complete validation.

And to complete validation you really need to fix issues with either DNS
or firewall so that AD DCs are capable to reach proper IPA DCs.

And all IPA DCs should be initialized with ipa-adtrust-install
currently.

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list