[Freeipa-users] Centos 7 - ipa-server-3.3.3 AD trust trust-fetch-domains and add external group problem

Alexander Bokovoy abokovoy at redhat.com
Fri Feb 27 12:25:32 UTC 2015 

On Fri, 27 Feb 2015, mete bilgin wrote:
>2015-02-27 12:23 GMT+02:00 Alexander Bokovoy <abokovoy at redhat.com>:
>
>> On Fri, 27 Feb 2015, mete bilgin wrote:
>>
>>> [0000] 85 A6 68 FD 0D BF 20 B8                            ..h... .
>>> s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fed9c4e2a90
>>> s4_tevent: Run immediate event "tevent_req_trigger": 0x7fed9c4e2a90
>>> s4_tevent: Destroying timer event 0x7fed9c0487b0 "tevent_req_timedout"
>>> s4_tevent: Destroying timer event 0x7fed9c044ed0 "dcerpc_timeout_handler"
>>> s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fed9c4e2760
>>> s4_tevent: Run immediate event "tevent_req_trigger": 0x7fed9c4e2760
>>>     netr_LogonControl2Ex: struct netr_LogonControl2Ex
>>>        out: struct netr_LogonControl2Ex
>>>            query                    : *
>>>                query                    : union
>>> netr_CONTROL_QUERY_INFORMATION(case 2)
>>>                info2                    : *
>>>                    info2: struct netr_NETLOGON_INFO_2
>>>                        flags                    : 0x00000080 (128)
>>>                               0: NETLOGON_REPLICATION_NEEDED
>>>                               0: NETLOGON_REPLICATION_IN_PROGRESS
>>>                               0: NETLOGON_FULL_SYNC_REPLICATION
>>>                               0: NETLOGON_REDO_NEEDED
>>>                               0: NETLOGON_HAS_IP
>>>                               0: NETLOGON_HAS_TIMESERV
>>>                               0: NETLOGON_DNS_UPDATE_FAILURE
>>>                               1: NETLOGON_VERIFY_STATUS_RETURNED
>>>                        pdc_connection_status    : WERR_NO_LOGON_SERVERS
>>>                        trusted_dc_name          : *
>>>                            trusted_dc_name          : ''
>>>                        tc_connection_status     : WERR_NO_LOGON_SERVERS
>>>            result                   : WERR_OK
>>>
>> Here is the result -- AD DC was unable to reach IPA DC. Check your
>> firewall and DNS records.
>>
>> For DNS, make sure you can resolve SRV record _ldap._tcp.IPADOMAIN.COM
>> from AD DC console.
>> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#
>> Verify_DNS_configuration
>>
>> For firewall, see
>> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#
>> Firewall_configuration
>>
>>
>> --
>> / Alexander Bokovoy
>>
>Hi,
>
>I think get entry for replication server. That's the problem. I remove the
>replica on dns server.
Yes, you can temporarily remove the entry for a replica from the SRV
record.

Alternative would be to run ipa-adtrust-install on that replica too.

>
>https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=538e023107ed307142ca7302ff34106c53afa932
>
>
>> _ldap._tcp.ipdomin.com
>Server:  UnKnown
>Address:  ::1
>
>Non-authoritative answer:
>_ldap._tcp.bilyoner.com SRV service location:
>          priority       = 0
>          weight         = 100
>          port           = 389
>          svr hostname   = ipa02.ipadomain.com
>_ldap._tcp.bilyoner.com SRV service location:
>          priority       = 0
>          weight         = 100
>          port           = 389
>          svr hostname   = ipa01.domain.com
>
>ipa02.ipadomain.com      internet address = 172.16.50.97
>ipa01.ipadomain.com      internet address = 192.168.12.27

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list