[Freeipa-users] LDAP bind failing on new IPA setup
Alexander Bokovoy
abokovoy at redhat.com
Fri Apr 17 14:49:44 UTC 2015
On Fri, 17 Apr 2015, Gould, Joshua wrote:
>We setup our new IPA server (RHEL7) with a trust against our AD domain.
>The trust and ID range look right in IPA
>
>[root sssd]# ipa trust-show
>Realm name: example.com
> Realm name: EXAMPLE.COM
> Domain NetBIOS name: EXAMPLE
> Domain Security Identifier: S-1-5-21-
> Trust direction: Two-way trust
> Trust type: Active Directory domain
>[root sssd]# ipa idrange-find --all
>----------------
>2 ranges matched
>----------------
> dn: cn=EXAMPLE.COM_id_range,cn=ranges,cn=etc,dc=examle,dc=com
> Range name: EXAMPLE.COM_id_range
> First Posix ID of the range: 2000000
> Number of IDs in the range: 900000
> First RID of the corresponding RID range: 0
> Domain SID of the trusted domain: S-1-5-21-
> Range type: Active Directory domain range
> iparangetyperaw: ipa-ad-trust
> objectclass: ipatrustedaddomainrange, ipaIDrange
>
> dn: cn=UNIX.EXAMPLE.COM_id_range,cn=ranges,cn=etc,dc=example,dc=com
> Range name: UNIX.EXAMPLE.COM_id_range
> First Posix ID of the range: 369600000
> Number of IDs in the range: 200000
> First RID of the corresponding RID range: 1000
> First RID of the secondary RID range: 100000000
> Range type: local domain range
> iparangetyperaw: ipa-local
> objectclass: top, ipaIDrange, ipaDomainIDRange
>----------------------------
>Number of entries returned 2
>----------------------------
Either you obfuscated too much or your setup makes little sense as IPA
local domain ID range is for unix.example.com while your realm is
EXAMPLE.COM and AD realm is EXAMPLE.COM. This is not going to work --
IPA and AD has to have different realms.
>[root sssd]#
>
>I see that the bind fails but I’m not sure why. Here are the errors.
>Could someone point me in the right direction please?
A single line you need to look at is this:
(Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (KDC policy rejects request)]
KDC policy rejects request is Kerberos way of saying "My realm doesn't
trust your realm, go away".
In order to know what exactly is wrong, do following (it is all written
in the troubleshooting section of the trust documentation on FreeIPA
wiki):
1. add 'log level = 100' to [global] section of
/usr/share/ipa/smb.conf.empty
2. Without restarting anything, re-establish trust with 'ipa trust-add ...'.
3. Look into /var/log/http/error_log to see a response for something
like this:
s4_tevent: Run immediate event "tevent_req_trigger": 0x7f5ccc084a40
netr_LogonControl2Ex: struct netr_LogonControl2Ex
out: struct netr_LogonControl2Ex
query : *
query : union netr_CONTROL_QUERY_INFORMATION(case 2)
info2 : *
info2: struct netr_NETLOGON_INFO_2
flags : 0x000000b0 (176)
0: NETLOGON_REPLICATION_NEEDED
0: NETLOGON_REPLICATION_IN_PROGRESS
0: NETLOGON_FULL_SYNC_REPLICATION
0: NETLOGON_REDO_NEEDED
1: NETLOGON_HAS_IP
1: NETLOGON_HAS_TIMESERV
0: NETLOGON_DNS_UPDATE_FAILURE
1: NETLOGON_VERIFY_STATUS_RETURNED
pdc_connection_status : WERR_OK
trusted_dc_name : *
trusted_dc_name : '\\rh7-1.ipacloud7.test'
tc_connection_status : WERR_OK
result : WERR_OK
If instead of WERR_OK in pdc_connection_status you have something else,
that is telling an error. Show us the output like above.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list