[Freeipa-users] Centos 7 - ipa-server-3.3.3 AD trust trust-fetch-domains and add external group problem

Martin Kosek mkosek at redhat.com
Fri Feb 27 09:05:46 UTC 2015 

On 02/27/2015 10:01 AM, mete bilgin wrote:
>
> 2015-02-27 10:45 GMT+02:00 Martin Kosek <mkosek at redhat.com
> <mailto:mkosek at redhat.com>>:
>
>     On 02/27/2015 09:39 AM, mete bilgin wrote:
>
>
>
>         2015-02-27 10:33 GMT+02:00 Martin Kosek <mkosek at redhat.com
>         <mailto:mkosek at redhat.com>
>         <mailto:mkosek at redhat.com <mailto:mkosek at redhat.com>>>:
>
>              On 02/27/2015 09:30 AM, mete bilgin wrote:
>
>                  Hello,
>
>                  I'm trying to install ipa-server with trust (Win 2008R2).
>                  trustdomain-find will
>                  work but when i try to trust-fetch-domains "ipa: ERROR: AD domain
>                  controller
>                  complains about communication sequence. It may mean
>         unsynchronized time
>                  on both
>                  sides, for example" return. Force to reinstall adtrust. Have
>         any idea
>                  where is
>                  the problem?
>
>
>              You probably done that, but did you indeed verify that the time on
>         both
>              your IPA server and AD are the same?
>
>         http://www.freeipa.org/page/____Howto/IPAv3_AD_trust_setup#____Date.2Ftime_settings
>         <http://www.freeipa.org/page/__Howto/IPAv3_AD_trust_setup#__Date.2Ftime_settings>
>
>         <http://www.freeipa.org/page/__Howto/IPAv3_AD_trust_setup#__Date.2Ftime_settings
>         <http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Date.2Ftime_settings>>
>
>              Martin
>
>         Yes i did that.
>         [root at ipa01 log]# ntpdate -u
>         27 Feb 10:37:00 ntpdate[11281]: adjust time server 192.168.12.239 offset
>         -0.016979 sec
>
>         By the way,
>         #wbinfo --online-status
>
>         BUILTIN : online
>         ipadomain: online
>         addomain : offline
>
>
>     Right. Did you also check the actual AD? Especially when AD is in a VM, or
>     of if for example it's time zone is wrong, the UTC time may not match.
>
>     Martin
>
> On AD time zone (UTC+02:00) Istanbul and the same time with ipa server.
>

Ok, thanks. It was worth a try. If this is the case, I think you will simply 
need to follow our guide for debugging Trusts and send us the logs:

http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Debugging_trust

Thanks,
Martin

More information about the Freeipa-users mailing list