[Freeipa-users] Centos 7 - ipa-server-3.3.3 AD trust trust-fetch-domains and add external group problem

Alexander Bokovoy abokovoy at redhat.com
Fri Feb 27 09:53:29 UTC 2015 

On Fri, 27 Feb 2015, mete bilgin wrote:
>>> Starting GENSEC mechanism spnego
>>> Starting GENSEC submechanism gssapi_krb5
>>> Ticket in credentials cache for @IPDOMAIN will expire in 86400 secs
>>> GSS client Update(krb5)(1) Update failed: Unspecified GSS failure.  Minor
>>> code may provide more information: KDC policy rejects request
>>>
>> This means your trust is not working. How did you established trust?
>> Show exact commands.
>>
>> "KDC policy rejects request" means AD DC was unable to complete trust
>> validation. Usually it means it was unable to talk back to IPA master
>> which it discovers via SRV records over DNS.
>> --
>> / Alexander Bokovoy
>>
>
>
>Hi,
>
>When i add the turs return this.
>
>[root at ipa01 ~]# ipa trust-add  --type=ad --admin admin --password
>Realm name: addomain.com
>Active directory domain administrator's password:
>-------------------------------------------
>Re-established trust to domain "ADDOMAIN.COM"
>-------------------------------------------
>  Realm name: ADDOMAIN.COM
>  Domain NetBIOS name: ADDOMAIN
>  Domain Security Identifier: S-1-5-21-1343024091-2000478354-725345543
>  SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2,
>S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10,
>S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15,
>                          S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
>  SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2,
>S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10,
>S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15,
>                          S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
>  Trust direction: Two-way trust
>  Trust type: Active Directory domain
>  Trust status: Established and verified
Ok, and did you run that with debug enabled in smb.conf.empty? Can you
give us /var/log/httpd/error_log for this run?

In 4.x we fixed the part that mistakenly reports trust is 'established
and verified' when it actually wasn't, but before that we need to see
the debug logs to know the reason.

There are only two (external) reasons:
1. AD DC was unable to resolve IPA DC via DNS query for SRV records for
Kerberos and LDAP.
2. AD DC was unable to reach IPA DC due to misconfigured firewall.


-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list