[Freeipa-users] ipa: ERROR: AD DC was unable to reach any IPA domain controller --- AD domain controller complains about communication sequence.
Alexander Bokovoy
abokovoy at redhat.com
Thu Apr 16 04:41:24 UTC 2015
On Wed, 15 Apr 2015, g.fer.ordas at unicyber.co.uk wrote:
>Hi Alexander
>
>I do trust the diagnostics and I thank you so much for that
>explanation as I know now now a bit better what to expect or for the
>less what is the sequence it follows.
>
>
>This does not seem to be a port issue (below windows):
>PORT STATE SERVICE
>53/tcp open domain
>80/tcp open http
>88/tcp open kerberos-sec
>111/tcp open rpcbind
>135/tcp open msrpc
>139/tcp open netbios-ssn
>389/tcp open ldap
>445/tcp open microsoft-ds
>464/tcp open kpasswd5
>593/tcp open http-rpc-epmap
>636/tcp open ldapssl
>3268/tcp open globalcatLDAP
>3269/tcp open globalcatLDAPssl
>3389/tcp open ms-wbt-server
>
>And after executing the command:
>ipa trust-add --type=ad ad_domain.company.com --admin ad_user --password
>
>I get :
>===========
>s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fbb7c00f170
>s4_tevent: Added timed event "dcerpc_timeout_handler": 0x7fbb7c0a1910
>s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fbb7c00f170
>s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fbb7c00f170
>num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0,
>data_total=112, this_data=112, max_data=4280, param_offset=84,
>param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0
>s4_tevent: Added timed event "tevent_req_timedout": 0x7fbb7c434b10
>smb_signing_md5: sequence number 8
>smb_signing_sign_pdu: sent SMB signature of
>[0000] 4E 30 9B AA AD 9D FA E9 N0......
>s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger":
>0x7fbb7c3179d0
>s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fbb7c00f170
>s4_tevent: Run immediate event "tevent_queue_immediate_trigger":
>0x7fbb7c3179d0
>smb_signing_md5: sequence number 9
>smb_signing_check_pdu: seq 9: got good SMB signature of
>[0000] 34 AA E5 B9 B4 BB AD 3D 4......=
>s4_tevent: Destroying timer event 0x7fbb7c434b10 "tevent_req_timedout"
>s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fbb7c532dd0
>s4_tevent: Run immediate event "tevent_req_trigger": 0x7fbb7c532dd0
>s4_tevent: Destroying timer event 0x7fbb7c0a1910
>"dcerpc_timeout_handler"
>s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fbb7c0a1660
>s4_tevent: Run immediate event "tevent_req_trigger": 0x7fbb7c0a1660
> netr_LogonControl2Ex: struct netr_LogonControl2Ex
> out: struct netr_LogonControl2Ex
> query : *
> query : union
>netr_CONTROL_QUERY_INFORMATION(case 2)
> info2 : *
> info2: struct netr_NETLOGON_INFO_2
> flags : 0x00000080 (128)
> 0: NETLOGON_REPLICATION_NEEDED
> 0: NETLOGON_REPLICATION_IN_PROGRESS
> 0: NETLOGON_FULL_SYNC_REPLICATION
> 0: NETLOGON_REDO_NEEDED
> 0: NETLOGON_HAS_IP
> 0: NETLOGON_HAS_TIMESERV
> 0: NETLOGON_DNS_UPDATE_FAILURE
> 1: NETLOGON_VERIFY_STATUS_RETURNED
> pdc_connection_status : WERR_NO_LOGON_SERVERS
> trusted_dc_name : *
> trusted_dc_name : ''
> tc_connection_status : WERR_NO_LOGON_SERVERS
> result : WERR_OK
>rpc reply data:
>[0000] 02 00 00 00 00 00 02 00 80 00 00 00 1F 05 00 00 ........
>........
>[0010] 04 00 02 00 1F 05 00 00 01 00 00 00 00 00 00 00 ........
>........
>[0020] 01 00 00 00 00 00 00 00 00 00 00 00 ........ ....
>s4_tevent: Added timed event "tevent_req_timedout": 0x7fbb7c23ced0
>smb_signing_md5: sequence number 10
>smb_signing_sign_pdu: sent SMB signature of
>[0000] 91 10 6B 3B E8 98 AA B9 ..k;....
>s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger":
>0x7fbb7c3179d0
>s4_tevent: Destroying timer event 0x7fbb7c23ced0 "tevent_req_timedout"
>s4_tevent: Cancel immediate event 0x7fbb7c3179d0
>"tevent_queue_immediate_trigger"
>[Wed Apr 15 22:17:08.729930 2015] [:error] [pid 4810] ipa: INFO:
>[jsonserver_session] admin at LDAP.COMPANY.COM:
>trust_add(u'ad_domain.company.com', trust_type=u'ad',
>realm_admin=u'ad_user', realm_passwd=u'********', all=False,
>raw=False, version=u'2.114'): RemoteRetrieveError
>============
>
>So to me that seems to be samba related.
No, it is not, at least so far all evidence is only telling that AD DC
cannot talk to IPA DC. From the above netr_NETLOGON_INFO_2 structure it
is pretty clear:
"AD DC tried to verify trust and was unable to contact logon servers
(DCs) of IPA".
>If try to mount any of the remote AD shares into the IPA server
>manually , it does perfectly well with the above user details.(this is
>without kerberos so -k)
If you mount something on IPA server, it means connection goes from IPA
server to AD DC, not the other way around. You need to make sure the
opposite direction (connection initiated by AD DC towards IPA server)
would work.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list