[Freeipa-users] Centos 7 - ipa-server-3.3.3 AD trust trust-fetch-domains and add external group problem
mete bilgin
metebilgin48 at gmail.com
Fri Feb 27 09:44:47 UTC 2015
2015-02-27 11:36 GMT+02:00 Alexander Bokovoy <abokovoy at redhat.com>:
> On Fri, 27 Feb 2015, mete bilgin wrote:
>
>> 2015-02-27 11:05 GMT+02:00 Martin Kosek <mkosek at redhat.com>:
>>
>> On 02/27/2015 10:01 AM, mete bilgin wrote:
>>>
>>>
>>>> 2015-02-27 10:45 GMT+02:00 Martin Kosek <mkosek at redhat.com
>>>> <mailto:mkosek at redhat.com>>:
>>>>
>>>> On 02/27/2015 09:39 AM, mete bilgin wrote:
>>>>
>>>>
>>>>
>>>> 2015-02-27 10:33 GMT+02:00 Martin Kosek <mkosek at redhat.com
>>>> <mailto:mkosek at redhat.com>
>>>> <mailto:mkosek at redhat.com <mailto:mkosek at redhat.com>>>:
>>>>
>>>> On 02/27/2015 09:30 AM, mete bilgin wrote:
>>>>
>>>> Hello,
>>>>
>>>> I'm trying to install ipa-server with trust (Win
>>>> 2008R2).
>>>> trustdomain-find will
>>>> work but when i try to trust-fetch-domains "ipa: ERROR:
>>>> AD domain
>>>> controller
>>>> complains about communication sequence. It may mean
>>>> unsynchronized time
>>>> on both
>>>> sides, for example" return. Force to reinstall adtrust.
>>>> Have
>>>> any idea
>>>> where is
>>>> the problem?
>>>>
>>>>
>>>> You probably done that, but did you indeed verify that the
>>>> time on
>>>> both
>>>> your IPA server and AD are the same?
>>>>
>>>> http://www.freeipa.org/page/____Howto/IPAv3_AD_trust_setup#_
>>>> ___Date.2Ftime_settings
>>>> <http://www.freeipa.org/page/__Howto/IPAv3_AD_trust_setup#__
>>>> Date.2Ftime_settings>
>>>>
>>>> <http://www.freeipa.org/page/__Howto/IPAv3_AD_trust_setup#__
>>>> Date.2Ftime_settings
>>>> <http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#
>>>> Date.2Ftime_settings>>
>>>>
>>>> Martin
>>>>
>>>> Yes i did that.
>>>> [root at ipa01 log]# ntpdate -u
>>>> 27 Feb 10:37:00 ntpdate[11281]: adjust time server
>>>> 192.168.12.239
>>>> offset
>>>> -0.016979 sec
>>>>
>>>> By the way,
>>>> #wbinfo --online-status
>>>>
>>>> BUILTIN : online
>>>> ipadomain: online
>>>> addomain : offline
>>>>
>>>>
>>>> Right. Did you also check the actual AD? Especially when AD is in a
>>>> VM, or
>>>> of if for example it's time zone is wrong, the UTC time may not
>>>> match.
>>>>
>>>> Martin
>>>>
>>>> On AD time zone (UTC+02:00) Istanbul and the same time with ipa server.
>>>>
>>>>
>>>> Ok, thanks. It was worth a try. If this is the case, I think you will
>>> simply need to follow our guide for debugging Trusts and send us the
>>> logs:
>>>
>>> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Debugging_trust
>>>
>>> Thanks,
>>> Martin
>>>
>>>
>> Hi,
>>
>> I open debug and try to understand but, i can not :( Here the logs.
>>
>> Thank a lot.
>>
>>
>> Error_log
>>
>> [Fri Feb 27 11:08:48.740996 2015] [:error] [pid 5367] ipa: INFO:
>> admin at IPDOMAIN.COM: ping(version=u'2.51'): SUCCESS
>> lpcfg_load: refreshing parameters from /usr/share/ipa/smb.conf.empty
>> params.c:pm_process() - Processing configuration file
>> "/usr/share/ipa/smb.conf.empty"
>> Processing section "[global]"
>> INFO: Current debug levels:
>> all: 100
>> tdb: 100
>> printdrivers: 100
>> lanman: 100
>> smb: 100
>> rpc_parse: 100
>> rpc_srv: 100
>> rpc_cli: 100
>> passdb: 100
>> sam: 100
>> auth: 100
>> winbind: 100
>> vfs: 100
>> idmap: 100
>> quota: 100
>> acls: 100
>> locking: 100
>> msdfs: 100
>> dmapi: 100
>> registry: 100
>> scavenger: 100
>> dns: 100
>> ldb: 100
>> pm_process() returned Yes
>> Using binding ncacn_np:ipa01.IPDOMAIN.com[,]
>> s4_tevent: Added timed event "dcerpc_connect_timeout_handler":
>> 0x7fed9c334520
>> s4_tevent: Added timed event "composite_trigger": 0x7fed9c3ec530
>> s4_tevent: Added timed event "composite_trigger": 0x7fed9c2f6310
>> s4_tevent: Running timer event 0x7fed9c3ec530 "composite_trigger"
>> s4_tevent: Destroying timer event 0x7fed9c2f6310 "composite_trigger"
>> Mapped to DCERPC endpoint \pipe\lsarpc
>> added interface docker0 ip=172.17.42.1 bcast=172.17.255.255
>> netmask=255.255.0.0
>> added interface ens192 ip=192.168.12.27 bcast=192.168.12.255
>> netmask=255.255.255.0
>> added interface docker0 ip=172.17.42.1 bcast=172.17.255.255
>> netmask=255.255.0.0
>> added interface ens192 ip=192.168.12.27 bcast=192.168.12.255
>> netmask=255.255.255.0
>> s4_tevent: Ending timer event 0x7fed9c3ec530 "composite_trigger"
>> s4_tevent: Added timed event "connect_multi_timer": 0x7fed9c4cb560
>> s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fed9c4cb0b0
>> s4_tevent: Run immediate event "tevent_req_trigger": 0x7fed9c4cb0b0
>> s4_tevent: Destroying timer event 0x7fed9c4cb560 "connect_multi_timer"
>> Socket options:
>> SO_KEEPALIVE = 0
>> SO_REUSEADDR = 0
>> SO_BROADCAST = 0
>> TCP_NODELAY = 1
>> TCP_KEEPCNT = 9
>> TCP_KEEPIDLE = 7200
>> TCP_KEEPINTVL = 75
>> IPTOS_LOWDELAY = 0
>> IPTOS_THROUGHPUT = 0
>> SO_REUSEPORT = 0
>> SO_SNDBUF = 663430
>> SO_RCVBUF = 261942
>> SO_SNDLOWAT = 1
>> SO_RCVLOWAT = 1
>> SO_SNDTIMEO = 0
>> SO_RCVTIMEO = 0
>> TCP_QUICKACK = 1
>> TCP_DEFER_ACCEPT = 0
>> s4_tevent: Added timed event "tevent_req_timedout": 0x7fed9c4caa80
>> s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger":
>> 0x7fed9c4cb560
>> s4_tevent: Run immediate event "tevent_queue_immediate_trigger":
>> 0x7fed9c4cb560
>> s4_tevent: Destroying timer event 0x7fed9c4caa80 "tevent_req_timedout"
>> Starting GENSEC mechanism spnego
>> Starting GENSEC submechanism gssapi_krb5
>> Ticket in credentials cache for @IPDOMAIN will expire in 80256 secs
>> s4_tevent: Added timed event "tevent_req_timedout": 0x7fed9c4d0960
>> s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger":
>> 0x7fed9c4cb560
>> s4_tevent: Run immediate event "tevent_queue_immediate_trigger":
>> 0x7fed9c4cb560
>> s4_tevent: Destroying timer event 0x7fed9c4d0960 "tevent_req_timedout"
>> gensec_gssapi: NO credentials were delegated
>> GSSAPI Connection will be cryptographically sealed
>> s4_tevent: Added timed event "tevent_req_timedout": 0x7fed9c4d0360
>> s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger":
>> 0x7fed9c4cb560
>> s4_tevent: Run immediate event "tevent_queue_immediate_trigger":
>> 0x7fed9c4cb560
>> s4_tevent: Destroying timer event 0x7fed9c4d0360 "tevent_req_timedout"
>> s4_tevent: Added timed event "tevent_req_timedout": 0x7fed9c4cf550
>> s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger":
>> 0x7fed9c4cb560
>> s4_tevent: Run immediate event "tevent_queue_immediate_trigger":
>> 0x7fed9c4cb560
>> s4_tevent: Destroying timer event 0x7fed9c4cf550 "tevent_req_timedout"
>> num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0,
>> data_total=72, this_data=72, max_data=65535, param_offset=84, param_pad=2,
>> param_disp=0, data_offset=84, data_pad=0, data_disp=0
>> s4_tevent: Added timed event "tevent_req_timedout": 0x7fed9c4d9a30
>> s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger":
>> 0x7fed9c4cb560
>> s4_tevent: Added timed event "dcerpc_timeout_handler": 0x7fed9c4d9df0
>> s4_tevent: Run immediate event "tevent_queue_immediate_trigger":
>> 0x7fed9c4cb560
>> s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fed9c4d9640
>> s4_tevent: Run immediate event "tevent_req_trigger": 0x7fed9c4d9640
>> s4_tevent: Destroying timer event 0x7fed9c4d9a30 "tevent_req_timedout"
>> s4_tevent: Destroying timer event 0x7fed9c4d9df0 "dcerpc_timeout_handler"
>> s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fed9c3ec8a0
>> s4_tevent: Run immediate event "tevent_req_trigger": 0x7fed9c3ec8a0
>> s4_tevent: Destroying timer event 0x7fed9c334520
>> "dcerpc_connect_timeout_handler"
>> lsa_OpenPolicy2: struct lsa_OpenPolicy2
>> in: struct lsa_OpenPolicy2
>> system_name : *
>> system_name : ''
>> attr : *
>> attr: struct lsa_ObjectAttribute
>> len : 0x00000000 (0)
>> root_dir : NULL
>> object_name : NULL
>> attributes : 0x00000000 (0)
>> sec_desc : NULL
>> sec_qos : *
>> sec_qos: struct lsa_QosInfo
>> len : 0x00000000 (0)
>> impersonation_level : 0x0000 (0)
>> context_mode : 0x00 (0)
>> effective_only : 0x00 (0)
>> access_mask : 0x02000000 (33554432)
>> 0: LSA_POLICY_VIEW_LOCAL_INFORMATION
>> 0: LSA_POLICY_VIEW_AUDIT_INFORMATION
>> 0: LSA_POLICY_GET_PRIVATE_INFORMATION
>> 0: LSA_POLICY_TRUST_ADMIN
>> 0: LSA_POLICY_CREATE_ACCOUNT
>> 0: LSA_POLICY_CREATE_SECRET
>> 0: LSA_POLICY_CREATE_PRIVILEGE
>> 0: LSA_POLICY_SET_DEFAULT_QUOTA_LIMITS
>> 0: LSA_POLICY_SET_AUDIT_REQUIREMENTS
>> 0: LSA_POLICY_AUDIT_LOG_ADMIN
>> 0: LSA_POLICY_SERVER_ADMIN
>> 0: LSA_POLICY_LOOKUP_NAMES
>> 0: LSA_POLICY_NOTIFICATION
>> rpc request data:
>> [0000] 00 00 02 00 01 00 00 00 00 00 00 00 01 00 00 00 ........
>> ........
>> [0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........
>> ........
>> [0020] 00 00 00 00 00 00 00 00 04 00 02 00 00 00 00 00 ........
>> ........
>> [0030] 00 00 00 00 00 00 00 02 ........
>> s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fed9c2f22c0
>> s4_tevent: Added timed event "dcerpc_timeout_handler": 0x7fed9c4d0be0
>> s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fed9c2f22c0
>> s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fed9c2f22c0
>> num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0,
>> data_total=80, this_data=80, max_data=4280, param_offset=84, param_pad=2,
>> param_disp=0, data_offset=84, data_pad=0, data_disp=0
>> s4_tevent: Added timed event "tevent_req_timedout": 0x7fed9c4d9d00
>> s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger":
>> 0x7fed9c4cb560
>> s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fed9c2f22c0
>> s4_tevent: Run immediate event "tevent_queue_immediate_trigger":
>> 0x7fed9c4cb560
>> s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fed9c4d9910
>> s4_tevent: Run immediate event "tevent_req_trigger": 0x7fed9c4d9910
>> s4_tevent: Destroying timer event 0x7fed9c4d9d00 "tevent_req_timedout"
>> s4_tevent: Destroying timer event 0x7fed9c4d0be0 "dcerpc_timeout_handler"
>> s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fed9c3ec8a0
>> s4_tevent: Run immediate event "tevent_req_trigger": 0x7fed9c3ec8a0
>> lsa_OpenPolicy2: struct lsa_OpenPolicy2
>> out: struct lsa_OpenPolicy2
>> handle : *
>> handle: struct policy_handle
>> handle_type : 0x00000000 (0)
>> uuid :
>> 00000014-0000-0000-f054-20348a2a0000
>> result : NT_STATUS_OK
>> rpc reply data:
>> [0000] 00 00 00 00 14 00 00 00 00 00 00 00 F0 54 20 34 ........
>> .....T 4
>> [0010] 8A 2A 00 00 00 00 00 00 .*......
>> lsa_QueryInfoPolicy2: struct lsa_QueryInfoPolicy2
>> in: struct lsa_QueryInfoPolicy2
>> handle : *
>> handle: struct policy_handle
>> handle_type : 0x00000000 (0)
>> uuid :
>> 00000014-0000-0000-f054-20348a2a0000
>> level : LSA_POLICY_INFO_DNS (12)
>> rpc request data:
>> [0000] 00 00 00 00 14 00 00 00 00 00 00 00 F0 54 20 34 ........
>> .....T 4
>> [0010] 8A 2A 00 00 0C 00 .*....
>> s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fed9c2f22c0
>> s4_tevent: Added timed event "dcerpc_timeout_handler": 0x7fed9c3ec350
>> s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fed9c2f22c0
>> s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fed9c2f22c0
>> num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0,
>> data_total=46, this_data=46, max_data=4280, param_offset=84, param_pad=2,
>> param_disp=0, data_offset=84, data_pad=0, data_disp=0
>> s4_tevent: Added timed event "tevent_req_timedout": 0x7fed9c4d9ec0
>> s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger":
>> 0x7fed9c4cb560
>> s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fed9c2f22c0
>> s4_tevent: Run immediate event "tevent_queue_immediate_trigger":
>> 0x7fed9c4cb560
>> s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fed9c4d9af0
>> s4_tevent: Run immediate event "tevent_req_trigger": 0x7fed9c4d9af0
>> s4_tevent: Destroying timer event 0x7fed9c4d9ec0 "tevent_req_timedout"
>> s4_tevent: Destroying timer event 0x7fed9c3ec350 "dcerpc_timeout_handler"
>> s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fed9c4d0ad0
>> s4_tevent: Run immediate event "tevent_req_trigger": 0x7fed9c4d0ad0
>> lsa_QueryInfoPolicy2: struct lsa_QueryInfoPolicy2
>> out: struct lsa_QueryInfoPolicy2
>> info : *
>> info : *
>> info : union
>> lsa_PolicyInformation(case 12)
>> dns: struct lsa_DnsDomainInfo
>> name: struct lsa_StringLarge
>> length : 0x0010 (16)
>> size : 0x0012 (18)
>> string : *
>> string : 'IPDOMAIN'
>> dns_domain: struct lsa_StringLarge
>> length : 0x0018 (24)
>> size : 0x001a (26)
>> string : *
>> string : 'IPDOMAIN.com'
>> dns_forest: struct lsa_StringLarge
>> length : 0x0018 (24)
>> size : 0x001a (26)
>> string : *
>> string : 'IPDOMAIN.com'
>> domain_guid :
>> 00000015-e851-c207-0dd0-a20419e2e2c7
>> sid : *
>> sid :
>> S-1-5-21-3255298129-77778957-3353535001
>> result : NT_STATUS_OK
>> rpc reply data:
>> [0000] 00 00 02 00 0C 00 00 00 10 00 12 00 04 00 02 00 ........
>> ........
>> [0010] 18 00 1A 00 08 00 02 00 18 00 1A 00 0C 00 02 00 ........
>> ........
>> [0020] 15 00 00 00 51 E8 07 C2 0D D0 A2 04 19 E2 E2 C7 ....Q...
>> ........
>> [0030] 10 00 02 00 09 00 00 00 00 00 00 00 08 00 00 00 ........
>> ........
>> [0040] 42 00 49 00 4C 00 59 00 4F 00 4E 00 45 00 52 00 B.I.L.Y.
>> O.N.E.R.
>> [0050] 0D 00 00 00 00 00 00 00 0C 00 00 00 62 00 69 00 ........
>> ....b.i.
>> [0060] 6C 00 79 00 6F 00 6E 00 65 00 72 00 2E 00 63 00 l.y.o.n.
>> e.r...c.
>> [0070] 6F 00 6D 00 0D 00 00 00 00 00 00 00 0C 00 00 00 o.m.....
>> ........
>> [0080] 62 00 69 00 6C 00 79 00 6F 00 6E 00 65 00 72 00 b.i.l.y.
>> o.n.e.r.
>> [0090] 2E 00 63 00 6F 00 6D 00 04 00 00 00 01 04 00 00 ..c.o.m.
>> ........
>> [00A0] 00 00 00 05 15 00 00 00 51 E8 07 C2 0D D0 A2 04 ........
>> Q.......
>> [00B0] 19 E2 E2 C7 00 00 00 00 ........
>> lsa_QueryInfoPolicy2: struct lsa_QueryInfoPolicy2
>> in: struct lsa_QueryInfoPolicy2
>> handle : *
>> handle: struct policy_handle
>> handle_type : 0x00000000 (0)
>> uuid :
>> 00000014-0000-0000-f054-20348a2a0000
>> level : LSA_POLICY_INFO_ROLE (6)
>> rpc request data:
>> [0000] 00 00 00 00 14 00 00 00 00 00 00 00 F0 54 20 34 ........
>> .....T 4
>> [0010] 8A 2A 00 00 06 00 .*....
>> s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fed9c2f22c0
>> s4_tevent: Added timed event "dcerpc_timeout_handler": 0x7fed9c4d0f90
>> s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fed9c2f22c0
>> s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fed9c2f22c0
>> num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0,
>> data_total=46, this_data=46, max_data=4280, param_offset=84, param_pad=2,
>> param_disp=0, data_offset=84, data_pad=0, data_disp=0
>> s4_tevent: Added timed event "tevent_req_timedout": 0x7fed9c4da450
>> s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger":
>> 0x7fed9c4cb560
>> s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fed9c2f22c0
>> s4_tevent: Run immediate event "tevent_queue_immediate_trigger":
>> 0x7fed9c4cb560
>> s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fed9c4d9fe0
>> s4_tevent: Run immediate event "tevent_req_trigger": 0x7fed9c4d9fe0
>> s4_tevent: Destroying timer event 0x7fed9c4da450 "tevent_req_timedout"
>> s4_tevent: Destroying timer event 0x7fed9c4d0f90 "dcerpc_timeout_handler"
>> s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fed9c3ec3e0
>> s4_tevent: Run immediate event "tevent_req_trigger": 0x7fed9c3ec3e0
>> lsa_QueryInfoPolicy2: struct lsa_QueryInfoPolicy2
>> out: struct lsa_QueryInfoPolicy2
>> info : *
>> info : *
>> info : union
>> lsa_PolicyInformation(case 6)
>> role: struct lsa_ServerRole
>> role : LSA_ROLE_PRIMARY (3)
>> result : NT_STATUS_OK
>> rpc reply data:
>> [0000] 00 00 02 00 06 00 00 00 03 00 00 00 00 00 00 00 ........
>> ........
>> lpcfg_load: refreshing parameters from /usr/share/ipa/smb.conf.empty
>> params.c:pm_process() - Processing configuration file
>> "/usr/share/ipa/smb.conf.empty"
>> Processing section "[global]"
>> INFO: Current debug levels:
>> all: 100
>> tdb: 100
>> printdrivers: 100
>> lanman: 100
>> smb: 100
>> rpc_parse: 100
>> rpc_srv: 100
>> rpc_cli: 100
>> passdb: 100
>> sam: 100
>> auth: 100
>> winbind: 100
>> vfs: 100
>> idmap: 100
>> quota: 100
>> acls: 100
>> locking: 100
>> msdfs: 100
>> dmapi: 100
>> registry: 100
>> scavenger: 100
>> dns: 100
>> ldb: 100
>> pm_process() returned Yes
>> added interface docker0 ip=172.17.42.1 bcast=172.17.255.255
>> netmask=255.255.0.0
>> added interface ens192 ip=192.168.12.27 bcast=192.168.12.255
>> netmask=255.255.255.0
>> added interface docker0 ip=172.17.42.1 bcast=172.17.255.255
>> netmask=255.255.0.0
>> added interface ens192 ip=192.168.12.27 bcast=192.168.12.255
>> netmask=255.255.255.0
>> added interface docker0 ip=172.17.42.1 bcast=172.17.255.255
>> netmask=255.255.0.0
>> added interface ens192 ip=192.168.12.27 bcast=192.168.12.255
>> netmask=255.255.255.0
>> added interface docker0 ip=172.17.42.1 bcast=172.17.255.255
>> netmask=255.255.0.0
>> added interface ens192 ip=192.168.12.27 bcast=192.168.12.255
>> netmask=255.255.255.0
>> finddcs: searching for a DC by DNS domain addomain.com
>> finddcs: looking for SRV records for _ldap._tcp.addomain.com
>> ads_dns_lookup_srv: 3 records returned in the answer section.
>> ads_dns_parse_rr_srv: Parsed ad.addomain.com [0, 100, 389]
>> ads_dns_parse_rr_srv: Parsed kratos.addomain.com [0, 100, 389]
>> ads_dns_parse_rr_srv: Parsed beatrice.addomain.com [0, 100, 389]
>> Addrs = 192.168.12.236 at 389/ad,172.16.50.70 at 389/kratos,192.168.12.239 at 389
>> /beatrice
>> finddcs: DNS SRV response 0 at '192.168.12.236'
>> finddcs: DNS SRV response 1 at '172.16.50.70'
>> finddcs: DNS SRV response 2 at '192.168.12.239'
>> finddcs: performing CLDAP query on 192.168.12.236
>> s4_tevent: Added timed event "tevent_req_timedout": 0x7fed9c4d6230
>> s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fed9c4d66e0
>> s4_tevent: Run immediate event "tevent_req_trigger": 0x7fed9c4d66e0
>> s4_tevent: Added timed event "tevent_req_timedout": 0x7fed9c4d69b0
>> s4_tevent: Destroying timer event 0x7fed9c4d69b0 "tevent_req_timedout"
>> s4_tevent: Destroying timer event 0x7fed9c4d6230 "tevent_req_timedout"
>> &response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX
>> command : LOGON_SAM_LOGON_RESPONSE_EX (23)
>> sbz : 0x0000 (0)
>> server_type : 0x000031fd (12797)
>> 1: NBT_SERVER_PDC
>> 1: NBT_SERVER_GC
>> 1: NBT_SERVER_LDAP
>> 1: NBT_SERVER_DS
>> 1: NBT_SERVER_KDC
>> 1: NBT_SERVER_TIMESERV
>> 1: NBT_SERVER_CLOSEST
>> 1: NBT_SERVER_WRITABLE
>> 0: NBT_SERVER_GOOD_TIMESERV
>> 0: NBT_SERVER_NDNC
>> 0: NBT_SERVER_SELECT_SECRET_DOMAIN_6
>> 1: NBT_SERVER_FULL_SECRET_DOMAIN_6
>> 1: NBT_SERVER_ADS_WEB_SERVICE
>> 0: NBT_SERVER_HAS_DNS_NAME
>> 0: NBT_SERVER_IS_DEFAULT_NC
>> 0: NBT_SERVER_FOREST_ROOT
>> domain_uuid : 6aac190b-04eb-464f-bdcc-b07e27e2d1e5
>> forest : 'addomain.com'
>> dns_domain : 'addomain.com'
>> pdc_dns_name : 'ad.addomain.com'
>> domain_name : 'LIBERO'
>> pdc_name : 'ad'
>> user_name : ''
>> server_site : 'Default-First-Site-Name'
>> client_site : 'Default-First-Site-Name'
>> sockaddr_size : 0x00 (0)
>> sockaddr: struct nbt_sockaddr
>> sockaddr_family : 0x00000000 (0)
>> pdc_ip : (null)
>> remaining : DATA_BLOB length=0
>> next_closest_site : NULL
>> nt_version : 0x00000005 (5)
>> 1: NETLOGON_NT_VERSION_1
>> 0: NETLOGON_NT_VERSION_5
>> 1: NETLOGON_NT_VERSION_5EX
>> 0: NETLOGON_NT_VERSION_5EX_WITH_IP
>> 0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE
>> 0: NETLOGON_NT_VERSION_AVOID_NT4EMUL
>> 0: NETLOGON_NT_VERSION_PDC
>> 0: NETLOGON_NT_VERSION_IP
>> 0: NETLOGON_NT_VERSION_LOCAL
>> 0: NETLOGON_NT_VERSION_GC
>> lmnt_token : 0xffff (65535)
>> lm20_token : 0xffff (65535)
>> finddcs: Found matching DC 192.168.12.236 with server_type=0x000031fd
>> Using binding ncacn_np:ad.addomain.com[,]
>> s4_tevent: Added timed event "dcerpc_connect_timeout_handler":
>> 0x7fed9c4d4b90
>> s4_tevent: Added timed event "composite_trigger": 0x7fed9c4d5180
>> s4_tevent: Added timed event "composite_trigger": 0x7fed9c4d54b0
>> s4_tevent: Running timer event 0x7fed9c4d5180 "composite_trigger"
>> s4_tevent: Destroying timer event 0x7fed9c4d54b0 "composite_trigger"
>> Mapped to DCERPC endpoint \pipe\lsarpc
>> added interface docker0 ip=172.17.42.1 bcast=172.17.255.255
>> netmask=255.255.0.0
>> added interface ens192 ip=192.168.12.27 bcast=192.168.12.255
>> netmask=255.255.255.0
>> added interface docker0 ip=172.17.42.1 bcast=172.17.255.255
>> netmask=255.255.0.0
>> added interface ens192 ip=192.168.12.27 bcast=192.168.12.255
>> netmask=255.255.255.0
>> s4_tevent: Ending timer event 0x7fed9c4d5180 "composite_trigger"
>> s4_tevent: Added timed event "connect_multi_timer": 0x7fed9c4d8b90
>> s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fed9c4d5180
>> s4_tevent: Run immediate event "tevent_req_trigger": 0x7fed9c4d5180
>> s4_tevent: Destroying timer event 0x7fed9c4d8b90 "connect_multi_timer"
>> Socket options:
>> SO_KEEPALIVE = 0
>> SO_REUSEADDR = 0
>> SO_BROADCAST = 0
>> TCP_NODELAY = 1
>> TCP_KEEPCNT = 9
>> TCP_KEEPIDLE = 7200
>> TCP_KEEPINTVL = 75
>> IPTOS_LOWDELAY = 0
>> IPTOS_THROUGHPUT = 0
>> SO_REUSEPORT = 0
>> SO_SNDBUF = 23080
>> SO_RCVBUF = 87380
>> SO_SNDLOWAT = 1
>> SO_RCVLOWAT = 1
>> SO_SNDTIMEO = 0
>> SO_RCVTIMEO = 0
>> TCP_QUICKACK = 1
>> TCP_DEFER_ACCEPT = 0
>> s4_tevent: Added timed event "tevent_req_timedout": 0x7fed9c4dbfe0
>> s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger":
>> 0x7fed9c4d8b90
>> s4_tevent: Run immediate event "tevent_queue_immediate_trigger":
>> 0x7fed9c4d8b90
>> s4_tevent: Destroying timer event 0x7fed9c4dbfe0 "tevent_req_timedout"
>> Starting GENSEC mechanism spnego
>> Starting GENSEC submechanism gssapi_krb5
>> Ticket in credentials cache for @IPDOMAIN will expire in 86400 secs
>> GSS client Update(krb5)(1) Update failed: Unspecified GSS failure. Minor
>> code may provide more information: KDC policy rejects request
>>
> This means your trust is not working. How did you established trust?
> Show exact commands.
>
> "KDC policy rejects request" means AD DC was unable to complete trust
> validation. Usually it means it was unable to talk back to IPA master
> which it discovers via SRV records over DNS.
> --
> / Alexander Bokovoy
>
Hi,
When i add the turs return this.
[root at ipa01 ~]# ipa trust-add --type=ad --admin admin --password
Realm name: addomain.com
Active directory domain administrator's password:
-------------------------------------------
Re-established trust to domain "ADDOMAIN.COM"
-------------------------------------------
Realm name: ADDOMAIN.COM
Domain NetBIOS name: ADDOMAIN
Domain Security Identifier: S-1-5-21-1343024091-2000478354-725345543
SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2,
S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10,
S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15,
S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2,
S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10,
S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15,
S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
Trust direction: Two-way trust
Trust type: Active Directory domain
Trust status: Established and verified
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150227/c7f61040/attachment.htm>
More information about the Freeipa-users
mailing list