[Freeipa-users] LDAP bind failing on new IPA setup

Gould, Joshua Joshua.Gould at osumc.edu
Fri Apr 17 14:29:31 UTC 2015 

We setup our new IPA server (RHEL7) with a trust against our AD domain. The trust and ID range look right in IPA

[root sssd]# ipa trust-show
Realm name: example.com
  Realm name: EXAMPLE.COM
  Domain NetBIOS name: EXAMPLE
  Domain Security Identifier: S-1-5-21-
  Trust direction: Two-way trust
  Trust type: Active Directory domain
[root sssd]# ipa idrange-find --all
----------------
2 ranges matched
----------------
  dn: cn=EXAMPLE.COM_id_range,cn=ranges,cn=etc,dc=examle,dc=com
  Range name: EXAMPLE.COM_id_range
  First Posix ID of the range: 2000000
  Number of IDs in the range: 900000
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-
  Range type: Active Directory domain range
  iparangetyperaw: ipa-ad-trust
  objectclass: ipatrustedaddomainrange, ipaIDrange

  dn: cn=UNIX.EXAMPLE.COM_id_range,cn=ranges,cn=etc,dc=example,dc=com
  Range name: UNIX.EXAMPLE.COM_id_range
  First Posix ID of the range: 369600000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 100000000
  Range type: local domain range
  iparangetyperaw: ipa-local
  objectclass: top, ipaIDrange, ipaDomainIDRange
----------------------------
Number of entries returned 2
----------------------------
[root sssd]#

I see that the bind fails but I’m not sure why. Here are the errors. Could someone point me in the right direction please?

(Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [4]
(Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sdap_kinit_send] (0x0400): Attempting kinit (default, host/xxx, UNIX.EXAMPLE.COM, 86400)
(Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sdap_kinit_next_kdc] (0x1000): Resolving next KDC for service EXAMPLE.COM
(Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'EXAMPLE.COM'
(Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [get_server_status] (0x1000): Status of server 'domain_controller.EXAMPLE.COM' is 'name resolved'
(Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds
(Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved
(Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [get_server_status] (0x1000): Status of server 'domain_controller.EXAMPLE.COM' is 'name resolved'
(Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [be_resolve_server_process] (0x1000): Saving the first resolved server
(Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [be_resolve_server_process] (0x0200): Found address for server domain_controller.EXAMPLE.COM: [1.2.3.4] TTL 3600
(Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get TGT...
(Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [create_tgt_req_send_buffer] (0x0400): buffer size: 70
(Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [8734]
(Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [child_handler_setup] (0x2000): Signal handler set up for pid [8734]
(Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child
(Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sdap_process_result] (0x2000): Trace: sh[0x7f6ca7b71b70], connected[1], ops[(nil)], ldap[0x7f6ca7b89f20]
(Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
(Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [write_pipe_handler] (0x0400): All data has been sent!
(Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [child_sig_handler] (0x1000): Waiting for child [8734].
(Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [child_sig_handler] (0x0100): child [8734] finished successfully.
(Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [read_pipe_handler] (0x0400): EOF received, client finished
(Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_UNIX.EXAMPLE.COM], expired on [1429366284]
(Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
(Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sdap_cli_auth_step] (0x1000): the connection will expire at 1429280784
(Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: host/ipa_server.unix.EXAMPLE.COM
(Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error]
(Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (KDC policy rejects request)]
(Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'domain_controller.EXAMPLE.COM' as 'not working'
(Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
(Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'domain_controller.EXAMPLE.COM' as 'not working'
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150417/300d8bf8/attachment.htm>

More information about the Freeipa-users mailing list