[Freeipa-users] ipa: ERROR: AD DC was unable to reach any IPA domain controller --- AD domain controller complains about communication sequence.

Alexander Bokovoy abokovoy at redhat.com
Thu Apr 16 04:41:24 UTC 2015 

On Wed, 15 Apr 2015, g.fer.ordas at unicyber.co.uk wrote:
>Hi Alexander
>
>I do trust the diagnostics and I thank you so much for that 
>explanation as I know now now a bit better what to expect or for the 
>less what is the sequence it follows.
>
>
>This does not seem to be a port issue (below windows):
>PORT      STATE SERVICE
>53/tcp    open  domain
>80/tcp    open  http
>88/tcp    open  kerberos-sec
>111/tcp   open  rpcbind
>135/tcp   open  msrpc
>139/tcp   open  netbios-ssn
>389/tcp   open  ldap
>445/tcp   open  microsoft-ds
>464/tcp   open  kpasswd5
>593/tcp   open  http-rpc-epmap
>636/tcp   open  ldapssl
>3268/tcp  open  globalcatLDAP
>3269/tcp  open  globalcatLDAPssl
>3389/tcp  open  ms-wbt-server
>
>And after executing the command:
>ipa trust-add --type=ad ad_domain.company.com --admin ad_user --password
>
>I get :
>===========
>s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fbb7c00f170
>s4_tevent: Added timed event "dcerpc_timeout_handler": 0x7fbb7c0a1910
>s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fbb7c00f170
>s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fbb7c00f170
>num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, 
>data_total=112, this_data=112, max_data=4280, param_offset=84, 
>param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0
>s4_tevent: Added timed event "tevent_req_timedout": 0x7fbb7c434b10
>smb_signing_md5: sequence number 8
>smb_signing_sign_pdu: sent SMB signature of
>[0000] 4E 30 9B AA AD 9D FA E9                            N0......
>s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 
>0x7fbb7c3179d0
>s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fbb7c00f170
>s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 
>0x7fbb7c3179d0
>smb_signing_md5: sequence number 9
>smb_signing_check_pdu: seq 9: got good SMB signature of
>[0000] 34 AA E5 B9 B4 BB AD 3D                            4......=
>s4_tevent: Destroying timer event 0x7fbb7c434b10 "tevent_req_timedout"
>s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fbb7c532dd0
>s4_tevent: Run immediate event "tevent_req_trigger": 0x7fbb7c532dd0
>s4_tevent: Destroying timer event 0x7fbb7c0a1910 
>"dcerpc_timeout_handler"
>s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fbb7c0a1660
>s4_tevent: Run immediate event "tevent_req_trigger": 0x7fbb7c0a1660
>     netr_LogonControl2Ex: struct netr_LogonControl2Ex
>        out: struct netr_LogonControl2Ex
>            query                    : *
>                query                    : union 
>netr_CONTROL_QUERY_INFORMATION(case 2)
>                info2                    : *
>                    info2: struct netr_NETLOGON_INFO_2
>                        flags                    : 0x00000080 (128)
>                               0: NETLOGON_REPLICATION_NEEDED
>                               0: NETLOGON_REPLICATION_IN_PROGRESS
>                               0: NETLOGON_FULL_SYNC_REPLICATION
>                               0: NETLOGON_REDO_NEEDED
>                               0: NETLOGON_HAS_IP
>                               0: NETLOGON_HAS_TIMESERV
>                               0: NETLOGON_DNS_UPDATE_FAILURE
>                               1: NETLOGON_VERIFY_STATUS_RETURNED
>                        pdc_connection_status    : WERR_NO_LOGON_SERVERS
>                        trusted_dc_name          : *
>                            trusted_dc_name          : ''
>                        tc_connection_status     : WERR_NO_LOGON_SERVERS
>            result                   : WERR_OK
>rpc reply data:
>[0000] 02 00 00 00 00 00 02 00   80 00 00 00 1F 05 00 00   ........ 
>........
>[0010] 04 00 02 00 1F 05 00 00   01 00 00 00 00 00 00 00   ........ 
>........
>[0020] 01 00 00 00 00 00 00 00   00 00 00 00              ........ ....
>s4_tevent: Added timed event "tevent_req_timedout": 0x7fbb7c23ced0
>smb_signing_md5: sequence number 10
>smb_signing_sign_pdu: sent SMB signature of
>[0000] 91 10 6B 3B E8 98 AA B9                            ..k;....
>s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 
>0x7fbb7c3179d0
>s4_tevent: Destroying timer event 0x7fbb7c23ced0 "tevent_req_timedout"
>s4_tevent: Cancel immediate event 0x7fbb7c3179d0 
>"tevent_queue_immediate_trigger"
>[Wed Apr 15 22:17:08.729930 2015] [:error] [pid 4810] ipa: INFO: 
>[jsonserver_session] admin at LDAP.COMPANY.COM: 
>trust_add(u'ad_domain.company.com', trust_type=u'ad', 
>realm_admin=u'ad_user', realm_passwd=u'********', all=False, 
>raw=False, version=u'2.114'): RemoteRetrieveError
>============
>
>So to me that seems to be samba related.
No, it is not, at least so far all evidence is only telling that AD DC
cannot talk to IPA DC. From the above  netr_NETLOGON_INFO_2 structure it
is pretty clear:
 "AD DC tried to verify trust and was unable to contact logon servers
  (DCs) of IPA".

>If try to mount any of the remote AD shares into the IPA server 
>manually , it does perfectly well with the above user details.(this is 
>without kerberos so -k)
If you mount something on IPA server, it means connection goes from IPA
server to AD DC, not the other way around. You need to make sure the
opposite direction (connection initiated by AD DC towards IPA server)
would work.

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list