[Freeipa-users] Trust with Active Directory fails
Alexander Bokovoy
abokovoy at redhat.com
Fri Feb 6 08:27:36 UTC 2015
On Thu, 05 Feb 2015, Guertin, David S. wrote:
>I'm trying to set up a trust between IPA and Active Directory, and it
>keeps failing. The problem is the same as this one
>(https://www.redhat.com/archives/freeipa-users/2014-April/msg00039.html),
>but the solution is not. In that case, it was solved by enabling IPv6
>in the kernel, and in this case IPv6 is already enabled.
>
>Here's what happens:
>
># ipa trust-add --type=ad example.com
>ipa: ERROR: Cannot find specified domain or server name
>
>It looks like a DNS problem, and all the suggestions I've seen point to
>DNS, but from everything I can see, DNS appears to be working. I have
>the IPA domain set up as a subdomain (csns.example.com) of the AD
>domain (example.com). Our AD domain controllers are NOT set up as DNS
>servers -- we have external, independent DNS servers for that. (Could
>that be part of the problem?) I am running bind on the IPA server
>(which is running RHEL6), because all the documentation was written
>that way. It is set up as a delegation subdomain of our main domain.
We don't require DNS to be tied to any specific party (IPA or AD), all
we require is that all proper service records (SRV) are in place.
For Active Directory cross-forest trusts to work, we need following
records to be in place:
_ldap._tcp.<DOMAIN>
_kerberos._udp.<DOMAIN>
_kerberos._tcp.<DOMAIN>
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.<DOMAIN>
_kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.<DOMAIN>
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.<DOMAIN>
_ldap._tcp.dc._msdcs.<DOMAIN>
_kerberos._udp.dc._msdcs.<DOMAIN>
_kerberos._tcp.dc._msdcs.<DOMAIN>
When you run ipa-adtrust-install, it will generate these records for IPA
domain but when we perform trust, Samba libraries resolve these in AD
domain too. Make sure they are properly configured.
>
>>From the IPA server, dig finds the AD domain controllers:
>
># dig SRV _ldap._tcp.example.com
>
>; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.1 <<>> SRV _ldap._tcp.example.com
>;; global options: +cmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8858
>;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 13, ADDITIONAL: 0
>
>;; QUESTION SECTION:
>;_ldap._tcp.example.com. IN SRV
>
>;; ANSWER SECTION:
>_ldap._tcp.example.com. 600 IN SRV 0 100 389 dc1.example.com.
>_ldap._tcp.example.com. 600 IN SRV 0 100 389 dc2.example.com.
>_ldap._tcp.example.com. 600 IN SRV 0 100 389 dc3.example.com.
>_ldap._tcp.example.com. 600 IN SRV 0 100 389 dc4.example.com.
>_ldap._tcp.example.com. 600 IN SRV 0 100 389 dc5.example.com.
>_ldap._tcp.example.com. 600 IN SRV 0 100 389 dc6.example.com.
>
>;; AUTHORITY SECTION:
>. 407417 IN NS b.root-servers.net.
>. 407417 IN NS a.root-servers.net.
>. 407417 IN NS h.root-servers.net.
>. 407417 IN NS f.root-servers.net.
>. 407417 IN NS m.root-servers.net.
>. 407417 IN NS k.root-servers.net.
>. 407417 IN NS l.root-servers.net.
>. 407417 IN NS g.root-servers.net.
>. 407417 IN NS e.root-servers.net.
>. 407417 IN NS j.root-servers.net.
>. 407417 IN NS i.root-servers.net.
>. 407417 IN NS d.root-servers.net.
>. 407417 IN NS c.root-servers.net.
>
>;; Query time: 2 msec
>;; SERVER: 140.233.1.7#53(140.233.1.7)
>;; WHEN: Thu Feb 5 16:38:22 2015
>;; MSG SIZE rcvd: 503
>
>And, with nslookup, I can do name lookups on the domain controllers and
>the DNS servers, and they all find the appropriate IP address. It all
>works the other way, too. From the domain controllers I can do nslookup
>on the IPA server. In fact, every nslookup or ping command I do on any
>hostname from anyway all works -- it's only the ipa trust-add command
>that's failing.
>
>I've set log level to 100 in /usr/share/ipa/smb.conf.empty, and here's the output in /var/log/httpd/error_log:
>
>lpcfg_load: refreshing parameters from /usr/share/ipa/smb.conf.empty
>params.c:pm_process() - Processing configuration file "/usr/share/ipa/smb.conf.empty"
>Processing section "[global]"
>INFO: Current debug levels:
> all: 100
> tdb: 100
> printdrivers: 100
> lanman: 100
> smb: 100
> rpc_parse: 100
> rpc_srv: 100
> rpc_cli: 100
> passdb: 100
> sam: 100
> auth: 100
> winbind: 100
> vfs: 100
> idmap: 100
> quota: 100
> acls: 100
> locking: 100
> msdfs: 100
> dmapi: 100
> registry: 100
>pm_process() returned Yes
>Using binding ncacn_np:civet.csns.example.com[,]
>tevent: Added timed event "dcerpc_connect_timeout_handler": 0x7f22f41eeb60
>tevent: Added timed event "composite_trigger": 0x7f22f403d270
>tevent: Added timed event "composite_trigger": 0x7f22f41efdc0
>tevent: Running timer event 0x7f22f403d270 "composite_trigger"
>tevent: Destroying timer event 0x7f22f41efdc0 "composite_trigger"
>Mapped to DCERPC endpoint \pipe\lsarpc
>added interface eth0 ip=140.233.1.7 bcast=140.233.1.255 netmask=255.255.255.0
>added interface eth0 ip=140.233.1.7 bcast=140.233.1.255 netmask=255.255.255.0
>tevent: Ending timer event 0x7f22f403d270 "composite_trigger"
>tevent: Added timed event "connect_multi_timer": 0x7f22f4136d60
>tevent: Schedule immediate event "tevent_req_trigger": 0x7f22f4137690
>tevent: Run immediate event "tevent_req_trigger": 0x7f22f4137690
>tevent: Destroying timer event 0x7f22f4136d60 "connect_multi_timer"
>Socket options:
> SO_KEEPALIVE = 0
> SO_REUSEADDR = 0
> SO_BROADCAST = 0
> TCP_NODELAY = 1
> TCP_KEEPCNT = 9
> TCP_KEEPIDLE = 7200
> TCP_KEEPINTVL = 75
> IPTOS_LOWDELAY = 0
> IPTOS_THROUGHPUT = 0
> SO_REUSEPORT = 0
> SO_SNDBUF = 660150
> SO_RCVBUF = 174758
> SO_SNDLOWAT = 1
> SO_RCVLOWAT = 1
> SO_SNDTIMEO = 0
> SO_RCVTIMEO = 0
> TCP_QUICKACK = 1
> TCP_DEFER_ACCEPT = 0
>tevent: Added timed event "tevent_req_timedout": 0x7f22f403f580
>tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7f22f425aee0
>tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f22f425aee0
>tevent: Destroying timer event 0x7f22f403f580 "tevent_req_timedout"
>Starting GENSEC mechanism spnego
>Starting GENSEC submechanism gssapi_krb5
>Ticket in credentials cache for admin at CSNS.EXAMPLE.COM will expire in 86371 secs
>tevent: Added timed event "tevent_req_timedout": 0x7f22f42c2dd0
>tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7f22f425aee0
>tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f22f425aee0
>tevent: Destroying timer event 0x7f22f42c2dd0 "tevent_req_timedout"
>gensec_gssapi: NO credentials were delegated
>GSSAPI Connection will be cryptographically sealed
>tevent: Added timed event "tevent_req_timedout": 0x7f22f4041110
>tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7f22f425aee0
>tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f22f425aee0
>tevent: Destroying timer event 0x7f22f4041110 "tevent_req_timedout"
>tevent: Added timed event "tevent_req_timedout": 0x7f22f431dbd0
>tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7f22f425aee0
>tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f22f425aee0
>tevent: Destroying timer event 0x7f22f431dbd0 "tevent_req_timedout"
>tevent: Destroying timer event 0x7f22f41eeb60 "dcerpc_connect_timeout_handler"
>[Thu Feb 05 16:50:18 2015] [error] ipa: INFO: admin at CSNS.EXAMPLE.COM: trust_add(u'example.com', trust_type=u'ad', range_size=200000, all=False, raw=False, version=u'2.49'): NotFound
I can see that we initialized the connection to local Samba
(civet.csns.example.com). The next step is to initialize connection to
AD side and that one fails -- exactly because it is unable to pick up
a domain controller from the mcdcs-specific SRV records.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list