[Freeipa-users] LDAP bind failing on new IPA setup
Sumit Bose
sbose at redhat.com
Fri Apr 17 14:58:40 UTC 2015
On Fri, Apr 17, 2015 at 10:29:31AM -0400, Gould, Joshua wrote:
> We setup our new IPA server (RHEL7) with a trust against our AD domain. The trust and ID range look right in IPA
>
> [root sssd]# ipa trust-show
> Realm name: example.com
> Realm name: EXAMPLE.COM
> Domain NetBIOS name: EXAMPLE
> Domain Security Identifier: S-1-5-21-
> Trust direction: Two-way trust
> Trust type: Active Directory domain
> [root sssd]# ipa idrange-find --all
> ----------------
> 2 ranges matched
> ----------------
> dn: cn=EXAMPLE.COM_id_range,cn=ranges,cn=etc,dc=examle,dc=com
> Range name: EXAMPLE.COM_id_range
> First Posix ID of the range: 2000000
> Number of IDs in the range: 900000
> First RID of the corresponding RID range: 0
> Domain SID of the trusted domain: S-1-5-21-
> Range type: Active Directory domain range
> iparangetyperaw: ipa-ad-trust
> objectclass: ipatrustedaddomainrange, ipaIDrange
>
> dn: cn=UNIX.EXAMPLE.COM_id_range,cn=ranges,cn=etc,dc=example,dc=com
> Range name: UNIX.EXAMPLE.COM_id_range
> First Posix ID of the range: 369600000
> Number of IDs in the range: 200000
> First RID of the corresponding RID range: 1000
> First RID of the secondary RID range: 100000000
> Range type: local domain range
> iparangetyperaw: ipa-local
> objectclass: top, ipaIDrange, ipaDomainIDRange
> ----------------------------
> Number of entries returned 2
> ----------------------------
> [root sssd]#
>
> I see that the bind fails but I’m not sure why. Here are the errors. Could someone point me in the right direction please?
>
> (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [4]
> (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sdap_kinit_send] (0x0400): Attempting kinit (default, host/xxx, UNIX.EXAMPLE.COM, 86400)
> (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sdap_kinit_next_kdc] (0x1000): Resolving next KDC for service EXAMPLE.COM
> (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'EXAMPLE.COM'
> (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [get_server_status] (0x1000): Status of server 'domain_controller.EXAMPLE.COM' is 'name resolved'
> (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds
> (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved
> (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [get_server_status] (0x1000): Status of server 'domain_controller.EXAMPLE.COM' is 'name resolved'
> (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [be_resolve_server_process] (0x1000): Saving the first resolved server
> (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [be_resolve_server_process] (0x0200): Found address for server domain_controller.EXAMPLE.COM: [1.2.3.4] TTL 3600
> (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get TGT...
> (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [create_tgt_req_send_buffer] (0x0400): buffer size: 70
> (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [8734]
> (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [child_handler_setup] (0x2000): Signal handler set up for pid [8734]
> (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child
> (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sdap_process_result] (0x2000): Trace: sh[0x7f6ca7b71b70], connected[1], ops[(nil)], ldap[0x7f6ca7b89f20]
> (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
> (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [write_pipe_handler] (0x0400): All data has been sent!
> (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [child_sig_handler] (0x1000): Waiting for child [8734].
> (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [child_sig_handler] (0x0100): child [8734] finished successfully.
> (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [read_pipe_handler] (0x0400): EOF received, client finished
> (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_UNIX.EXAMPLE.COM], expired on [1429366284]
> (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
> (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sdap_cli_auth_step] (0x1000): the connection will expire at 1429280784
> (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: host/ipa_server.unix.EXAMPLE.COM
> (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error]
> (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (KDC policy rejects request)]
This error typically indicates there were some issues during adding the
trust, most probable the validation did not succeed completely. The most
probable reasons here are firewalls between AD and IPA and DNS issues.
Please check on the AD side that SRV records like
_ldap._tcp.dc._msdcs.unix.example.com and _ldap._tcp.unix.example.com
can be resolved on the AD side.
bye,
Sumit
> (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'domain_controller.EXAMPLE.COM' as 'not working'
> (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
> (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'domain_controller.EXAMPLE.COM' as 'not working'
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list