[Freeipa-users] ipa: ERROR: AD DC was unable to reach any IPA domain controller --- AD domain controller complains about communication sequence.

g.fer.ordas at unicyber.co.uk g.fer.ordas at unicyber.co.uk
Wed Apr 15 22:46:41 UTC 2015 

Hi Alexander

I do trust the diagnostics and I thank you so much for that explanation 
as I know now now a bit better what to expect or for the less what is 
the sequence it follows.


This does not seem to be a port issue (below windows):
PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
111/tcp   open  rpcbind
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
3389/tcp  open  ms-wbt-server

And after executing the command:
ipa trust-add --type=ad ad_domain.company.com --admin ad_user --password

I get :
===========
s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fbb7c00f170
s4_tevent: Added timed event "dcerpc_timeout_handler": 0x7fbb7c0a1910
s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fbb7c00f170
s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fbb7c00f170
num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, 
data_total=112, this_data=112, max_data=4280, param_offset=84, 
param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0
s4_tevent: Added timed event "tevent_req_timedout": 0x7fbb7c434b10
smb_signing_md5: sequence number 8
smb_signing_sign_pdu: sent SMB signature of
[0000] 4E 30 9B AA AD 9D FA E9                            N0......
s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 
0x7fbb7c3179d0
s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fbb7c00f170
s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 
0x7fbb7c3179d0
smb_signing_md5: sequence number 9
smb_signing_check_pdu: seq 9: got good SMB signature of
[0000] 34 AA E5 B9 B4 BB AD 3D                            4......=
s4_tevent: Destroying timer event 0x7fbb7c434b10 "tevent_req_timedout"
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fbb7c532dd0
s4_tevent: Run immediate event "tevent_req_trigger": 0x7fbb7c532dd0
s4_tevent: Destroying timer event 0x7fbb7c0a1910 
"dcerpc_timeout_handler"
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fbb7c0a1660
s4_tevent: Run immediate event "tevent_req_trigger": 0x7fbb7c0a1660
      netr_LogonControl2Ex: struct netr_LogonControl2Ex
         out: struct netr_LogonControl2Ex
             query                    : *
                 query                    : union 
netr_CONTROL_QUERY_INFORMATION(case 2)
                 info2                    : *
                     info2: struct netr_NETLOGON_INFO_2
                         flags                    : 0x00000080 (128)
                                0: NETLOGON_REPLICATION_NEEDED
                                0: NETLOGON_REPLICATION_IN_PROGRESS
                                0: NETLOGON_FULL_SYNC_REPLICATION
                                0: NETLOGON_REDO_NEEDED
                                0: NETLOGON_HAS_IP
                                0: NETLOGON_HAS_TIMESERV
                                0: NETLOGON_DNS_UPDATE_FAILURE
                                1: NETLOGON_VERIFY_STATUS_RETURNED
                         pdc_connection_status    : WERR_NO_LOGON_SERVERS
                         trusted_dc_name          : *
                             trusted_dc_name          : ''
                         tc_connection_status     : WERR_NO_LOGON_SERVERS
             result                   : WERR_OK
rpc reply data:
[0000] 02 00 00 00 00 00 02 00   80 00 00 00 1F 05 00 00   ........ 
........
[0010] 04 00 02 00 1F 05 00 00   01 00 00 00 00 00 00 00   ........ 
........
[0020] 01 00 00 00 00 00 00 00   00 00 00 00              ........ ....
s4_tevent: Added timed event "tevent_req_timedout": 0x7fbb7c23ced0
smb_signing_md5: sequence number 10
smb_signing_sign_pdu: sent SMB signature of
[0000] 91 10 6B 3B E8 98 AA B9                            ..k;....
s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 
0x7fbb7c3179d0
s4_tevent: Destroying timer event 0x7fbb7c23ced0 "tevent_req_timedout"
s4_tevent: Cancel immediate event 0x7fbb7c3179d0 
"tevent_queue_immediate_trigger"
[Wed Apr 15 22:17:08.729930 2015] [:error] [pid 4810] ipa: INFO: 
[jsonserver_session] admin at LDAP.COMPANY.COM: 
trust_add(u'ad_domain.company.com', trust_type=u'ad', 
realm_admin=u'ad_user', realm_passwd=u'********', all=False, raw=False, 
version=u'2.114'): RemoteRetrieveError
============

So to me that seems to be samba related.
If try to mount any of the remote AD shares into the IPA server manually 
, it does perfectly well with the above user details.(this is without 
kerberos so -k)

The netbios for AD and IPA are different (so no complaints there) and It 
by the IPA side of the business it has been initialised using : 
ipa-adtrust-install
-- ipa-adtrust-install --netbios-name=LDAP_BIOS_NAME -a password -U --

Apologies for all this but I am trying to get through the process as far 
as I can.

Thanks



On 2015-04-15 06:03, Alexander Bokovoy wrote:
> On Tue, 14 Apr 2015, g.fer.ordas at unicyber.co.uk wrote:
>> Hi
>> 
>> Dealing with AD --> Cert Trust I am reaching the following step:
>> 
>> ipa trust-add  ad.company.com  --admin <user>  --password
>> Active Directory domain administrator's password:
>> ipa: ERROR: AD DC was unable to reach any IPA domain controller. Most 
>> likely it is a DNS or firewall issue
>> 
>> 
>> Reaching this far I do not know what the issue is .. Nevertheless and 
>> before start playing around with the DNS further more....
> The issue is what reported above -- at request of IPA DC to validate 
> the
> trust, AD DC tried to resolve IPA DC via SRV records and then tried to
> contact its Samba instance on its own to complete validation of the
> trust. Either step might fail, after which AD DC would report back to
> IPA DC that it was unable to reach it.
> 
> This diagnostics wasn't added for nothing, you need to trust it. :)
> 
>> 
>> 
>> if I run the following it seems to successfully establish the trust by 
>> the IPA side of the business
>> 
>> # ipa trust-add --type=ad "ad_domain" --trust-secret
>> 
>> So this part seems find by the look of it..
> It works because it does not communicate with AD DCs here, only with
> IPA's Samba instance.
> 
>> I also had to manually add the AD host and the remote CIFS resource 
>> but I am getting instead:
>> 
>> ipa trust-fetch-domains corp.hootsuitemedia.com
>> ipa: ERROR: AD domain controller complains about communication 
>> sequence. It may mean unsynchronized time on both sides, for example
> This doesn't work because AD DC did not complete the trust validation
> and cannot trust IPA Kerberos tickets, thus refusing operation.
> Unfortunately, reporting in SMB protocol is less than perfect so we 
> only
> are able to get guesses at what has happened.
> 
> In any case, running trust-fetch-domains makes no sense until you
> complete validation.
> 
> And to complete validation you really need to fix issues with either 
> DNS
> or firewall so that AD DCs are capable to reach proper IPA DCs.
> 
> And all IPA DCs should be initialized with ipa-adtrust-install
> currently.

More information about the Freeipa-users mailing list