[Freeipa-users] ipa: ERROR: AD DC was unable to reach any IPA domain controller --- AD domain controller complains about communication sequence.
g.fer.ordas at unicyber.co.uk
g.fer.ordas at unicyber.co.uk
Wed Apr 15 22:46:41 UTC 2015
Hi Alexander
I do trust the diagnostics and I thank you so much for that explanation
as I know now now a bit better what to expect or for the less what is
the sequence it follows.
This does not seem to be a port issue (below windows):
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
111/tcp open rpcbind
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server
And after executing the command:
ipa trust-add --type=ad ad_domain.company.com --admin ad_user --password
I get :
===========
s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fbb7c00f170
s4_tevent: Added timed event "dcerpc_timeout_handler": 0x7fbb7c0a1910
s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fbb7c00f170
s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fbb7c00f170
num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0,
data_total=112, this_data=112, max_data=4280, param_offset=84,
param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0
s4_tevent: Added timed event "tevent_req_timedout": 0x7fbb7c434b10
smb_signing_md5: sequence number 8
smb_signing_sign_pdu: sent SMB signature of
[0000] 4E 30 9B AA AD 9D FA E9 N0......
s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger":
0x7fbb7c3179d0
s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fbb7c00f170
s4_tevent: Run immediate event "tevent_queue_immediate_trigger":
0x7fbb7c3179d0
smb_signing_md5: sequence number 9
smb_signing_check_pdu: seq 9: got good SMB signature of
[0000] 34 AA E5 B9 B4 BB AD 3D 4......=
s4_tevent: Destroying timer event 0x7fbb7c434b10 "tevent_req_timedout"
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fbb7c532dd0
s4_tevent: Run immediate event "tevent_req_trigger": 0x7fbb7c532dd0
s4_tevent: Destroying timer event 0x7fbb7c0a1910
"dcerpc_timeout_handler"
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fbb7c0a1660
s4_tevent: Run immediate event "tevent_req_trigger": 0x7fbb7c0a1660
netr_LogonControl2Ex: struct netr_LogonControl2Ex
out: struct netr_LogonControl2Ex
query : *
query : union
netr_CONTROL_QUERY_INFORMATION(case 2)
info2 : *
info2: struct netr_NETLOGON_INFO_2
flags : 0x00000080 (128)
0: NETLOGON_REPLICATION_NEEDED
0: NETLOGON_REPLICATION_IN_PROGRESS
0: NETLOGON_FULL_SYNC_REPLICATION
0: NETLOGON_REDO_NEEDED
0: NETLOGON_HAS_IP
0: NETLOGON_HAS_TIMESERV
0: NETLOGON_DNS_UPDATE_FAILURE
1: NETLOGON_VERIFY_STATUS_RETURNED
pdc_connection_status : WERR_NO_LOGON_SERVERS
trusted_dc_name : *
trusted_dc_name : ''
tc_connection_status : WERR_NO_LOGON_SERVERS
result : WERR_OK
rpc reply data:
[0000] 02 00 00 00 00 00 02 00 80 00 00 00 1F 05 00 00 ........
........
[0010] 04 00 02 00 1F 05 00 00 01 00 00 00 00 00 00 00 ........
........
[0020] 01 00 00 00 00 00 00 00 00 00 00 00 ........ ....
s4_tevent: Added timed event "tevent_req_timedout": 0x7fbb7c23ced0
smb_signing_md5: sequence number 10
smb_signing_sign_pdu: sent SMB signature of
[0000] 91 10 6B 3B E8 98 AA B9 ..k;....
s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger":
0x7fbb7c3179d0
s4_tevent: Destroying timer event 0x7fbb7c23ced0 "tevent_req_timedout"
s4_tevent: Cancel immediate event 0x7fbb7c3179d0
"tevent_queue_immediate_trigger"
[Wed Apr 15 22:17:08.729930 2015] [:error] [pid 4810] ipa: INFO:
[jsonserver_session] admin at LDAP.COMPANY.COM:
trust_add(u'ad_domain.company.com', trust_type=u'ad',
realm_admin=u'ad_user', realm_passwd=u'********', all=False, raw=False,
version=u'2.114'): RemoteRetrieveError
============
So to me that seems to be samba related.
If try to mount any of the remote AD shares into the IPA server manually
, it does perfectly well with the above user details.(this is without
kerberos so -k)
The netbios for AD and IPA are different (so no complaints there) and It
by the IPA side of the business it has been initialised using :
ipa-adtrust-install
-- ipa-adtrust-install --netbios-name=LDAP_BIOS_NAME -a password -U --
Apologies for all this but I am trying to get through the process as far
as I can.
Thanks
On 2015-04-15 06:03, Alexander Bokovoy wrote:
> On Tue, 14 Apr 2015, g.fer.ordas at unicyber.co.uk wrote:
>> Hi
>>
>> Dealing with AD --> Cert Trust I am reaching the following step:
>>
>> ipa trust-add ad.company.com --admin <user> --password
>> Active Directory domain administrator's password:
>> ipa: ERROR: AD DC was unable to reach any IPA domain controller. Most
>> likely it is a DNS or firewall issue
>>
>>
>> Reaching this far I do not know what the issue is .. Nevertheless and
>> before start playing around with the DNS further more....
> The issue is what reported above -- at request of IPA DC to validate
> the
> trust, AD DC tried to resolve IPA DC via SRV records and then tried to
> contact its Samba instance on its own to complete validation of the
> trust. Either step might fail, after which AD DC would report back to
> IPA DC that it was unable to reach it.
>
> This diagnostics wasn't added for nothing, you need to trust it. :)
>
>>
>>
>> if I run the following it seems to successfully establish the trust by
>> the IPA side of the business
>>
>> # ipa trust-add --type=ad "ad_domain" --trust-secret
>>
>> So this part seems find by the look of it..
> It works because it does not communicate with AD DCs here, only with
> IPA's Samba instance.
>
>> I also had to manually add the AD host and the remote CIFS resource
>> but I am getting instead:
>>
>> ipa trust-fetch-domains corp.hootsuitemedia.com
>> ipa: ERROR: AD domain controller complains about communication
>> sequence. It may mean unsynchronized time on both sides, for example
> This doesn't work because AD DC did not complete the trust validation
> and cannot trust IPA Kerberos tickets, thus refusing operation.
> Unfortunately, reporting in SMB protocol is less than perfect so we
> only
> are able to get guesses at what has happened.
>
> In any case, running trust-fetch-domains makes no sense until you
> complete validation.
>
> And to complete validation you really need to fix issues with either
> DNS
> or firewall so that AD DCs are capable to reach proper IPA DCs.
>
> And all IPA DCs should be initialized with ipa-adtrust-install
> currently.
More information about the Freeipa-users
mailing list