[Freeipa-users] Centos 7 - ipa-server-3.3.3 AD trust trust-fetch-domains and add external group problem
Alexander Bokovoy
abokovoy at redhat.com
Fri Feb 27 12:25:32 UTC 2015
On Fri, 27 Feb 2015, mete bilgin wrote:
>2015-02-27 12:23 GMT+02:00 Alexander Bokovoy <abokovoy at redhat.com>:
>
>> On Fri, 27 Feb 2015, mete bilgin wrote:
>>
>>> [0000] 85 A6 68 FD 0D BF 20 B8 ..h... .
>>> s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fed9c4e2a90
>>> s4_tevent: Run immediate event "tevent_req_trigger": 0x7fed9c4e2a90
>>> s4_tevent: Destroying timer event 0x7fed9c0487b0 "tevent_req_timedout"
>>> s4_tevent: Destroying timer event 0x7fed9c044ed0 "dcerpc_timeout_handler"
>>> s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fed9c4e2760
>>> s4_tevent: Run immediate event "tevent_req_trigger": 0x7fed9c4e2760
>>> netr_LogonControl2Ex: struct netr_LogonControl2Ex
>>> out: struct netr_LogonControl2Ex
>>> query : *
>>> query : union
>>> netr_CONTROL_QUERY_INFORMATION(case 2)
>>> info2 : *
>>> info2: struct netr_NETLOGON_INFO_2
>>> flags : 0x00000080 (128)
>>> 0: NETLOGON_REPLICATION_NEEDED
>>> 0: NETLOGON_REPLICATION_IN_PROGRESS
>>> 0: NETLOGON_FULL_SYNC_REPLICATION
>>> 0: NETLOGON_REDO_NEEDED
>>> 0: NETLOGON_HAS_IP
>>> 0: NETLOGON_HAS_TIMESERV
>>> 0: NETLOGON_DNS_UPDATE_FAILURE
>>> 1: NETLOGON_VERIFY_STATUS_RETURNED
>>> pdc_connection_status : WERR_NO_LOGON_SERVERS
>>> trusted_dc_name : *
>>> trusted_dc_name : ''
>>> tc_connection_status : WERR_NO_LOGON_SERVERS
>>> result : WERR_OK
>>>
>> Here is the result -- AD DC was unable to reach IPA DC. Check your
>> firewall and DNS records.
>>
>> For DNS, make sure you can resolve SRV record _ldap._tcp.IPADOMAIN.COM
>> from AD DC console.
>> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#
>> Verify_DNS_configuration
>>
>> For firewall, see
>> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#
>> Firewall_configuration
>>
>>
>> --
>> / Alexander Bokovoy
>>
>Hi,
>
>I think get entry for replication server. That's the problem. I remove the
>replica on dns server.
Yes, you can temporarily remove the entry for a replica from the SRV
record.
Alternative would be to run ipa-adtrust-install on that replica too.
>
>https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=538e023107ed307142ca7302ff34106c53afa932
>
>
>> _ldap._tcp.ipdomin.com
>Server: UnKnown
>Address: ::1
>
>Non-authoritative answer:
>_ldap._tcp.bilyoner.com SRV service location:
> priority = 0
> weight = 100
> port = 389
> svr hostname = ipa02.ipadomain.com
>_ldap._tcp.bilyoner.com SRV service location:
> priority = 0
> weight = 100
> port = 389
> svr hostname = ipa01.domain.com
>
>ipa02.ipadomain.com internet address = 172.16.50.97
>ipa01.ipadomain.com internet address = 192.168.12.27
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list