[Freeipa-users] ipa group-add-member failed
Ben .T.George
bentech4you at gmail.com
Tue Mar 3 10:33:37 UTC 2015
HI
thanks for the replay.
iwas going through the replays and find that you suggested to check
firewall and DNS
*[root at kwtpocpbis01 ~]# systemctl status firewalld*
*firewalld.service - firewalld - dynamic firewall daemon*
* Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled)*
* Active: inactive (dead)*
*[root at kwtpocpbis01 ~]# systemctl status iptables*
*iptables.service - IPv4 firewall with iptables*
* Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled)*
* Active: inactive (dead)*
*[root at kwtpocpbis01 ~]# sestatus*
*SELinux status: disabled*
>From windows (AD) nslookup command like below:
*C:\Windows\system32>nslookup.exe*
*Default Server: kwttestdc001.kwttestdc.com
<http://kwttestdc001.kwttestdc.com>*
*Address: 172.16.104.231*
*> set type=srv*
*> _ldap._tcp.kwttestdc.com <http://tcp.kwttestdc.com>*
*Server: kwttestdc001.kwttestdc.com <http://kwttestdc001.kwttestdc.com>*
*Address: 172.16.104.231*
*_ldap._tcp.kwttestdc.com <http://tcp.kwttestdc.com> SRV service
location:*
* priority = 0*
* weight = 100*
* port = 389*
* svr hostname = kwttestdc001.kwttestdc.com
<http://kwttestdc001.kwttestdc.com>*
*kwttestdc001.kwttestdc.com <http://kwttestdc001.kwttestdc.com>
internet address = 172.16.104.231*
*> _ldap._tcp.solipa.local*
*Server: kwttestdc001.kwttestdc.com <http://kwttestdc001.kwttestdc.com>*
*Address: 172.16.104.231*
*Non-authoritative answer:*
*_ldap._tcp.solipa.local SRV service location:*
* priority = 0*
* weight = 100*
* port = 389*
* svr hostname = kwtpocpbis01.solipa.local*
*kwtpocpbis01.solipa.local internet address = 172.16.107.244*
Thsi is from IPA server
*[root at kwtpocpbis01 ~]# dig SRV _ldap._tcp.solipa.local*
*; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> SRV _ldap._tcp.solipa.local*
*;; global options: +cmd*
*;; Got answer:*
*;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65274*
*;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2*
*;; OPT PSEUDOSECTION:*
*; EDNS: version: 0, flags:; udp: 4000*
*;; QUESTION SECTION:*
*;_ldap._tcp.solipa.local. IN SRV*
*;; ANSWER SECTION:*
*_ldap._tcp.solipa.local. 81125 IN SRV 0 100 389
kwtpocpbis01.solipa.local.*
*;; ADDITIONAL SECTION:*
*kwtpocpbis01.solipa.local. 1101 IN A 172.16.107.244*
*;; Query time: 0 msec*
*;; SERVER: 172.16.104.231#53(172.16.104.231)*
*;; WHEN: Tue Mar 03 13:28:35 AST 2015*
*;; MSG SIZE rcvd: 113*
*[root at kwtpocpbis01 ~]# dig SRV _ldap._tcp.kwttestdc.com
<http://tcp.kwttestdc.com>*
*; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> SRV _ldap._tcp.kwttestdc.com
<http://tcp.kwttestdc.com>*
*;; global options: +cmd*
*;; Got answer:*
*;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43860*
*;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2*
*;; OPT PSEUDOSECTION:*
*; EDNS: version: 0, flags:; udp: 4000*
*;; QUESTION SECTION:*
*;_ldap._tcp.kwttestdc.com <http://tcp.kwttestdc.com>. IN SRV*
*;; ANSWER SECTION:*
*_ldap._tcp.kwttestdc.com <http://tcp.kwttestdc.com>. 600 IN SRV
0 100 389 kwttestdc001.kwttestdc.com <http://kwttestdc001.kwttestdc.com>.*
*;; ADDITIONAL SECTION:*
*kwttestdc001.kwttestdc.com <http://kwttestdc001.kwttestdc.com>. 3600 IN
A 172.16.104.231*
*;; Query time: 0 msec*
*;; SERVER: 172.16.104.231#53(172.16.104.231)*
*;; WHEN: Tue Mar 03 13:28:43 AST 2015*
*;; MSG SIZE rcvd: 115*
and there is no replica server too
Regards,
Ben
On Mon, Mar 2, 2015 at 11:27 PM, Alexander Bokovoy <abokovoy at redhat.com>
wrote:
> On Mon, 02 Mar 2015, Ben .T.George wrote:
>
>> Hi please find below output
>>
>> [root at kwttstfreipa01 ~]# kinit admin
>> Password for admin at SOLIPA.LOCAL:
>>
>> [root at kwttstfreipa01 ~]# id admin
>> uid=756800000(admin) gid=756800000(admins) groups=756800000(admins)
>>
>>
>> [root at kwttstfreipa01 ~]# KRB5_TRACE=/dev/stderr kvno -S cifs
>> kwttestdc001.kwttestdc.com
>> [16898] 1425327238.662939: Convert service cifs (service with host as
>> instance) on host kwttestdc001.kwttestdc.com to principal
>> [16898] 1425327238.663650: Remote host after forward canonicalization:
>> kwttestdc001.kwttestdc.com
>> [16898] 1425327238.663684: Remote host after reverse DNS processing:
>> kwttestdc001.kwttestdc.com
>> [16898] 1425327238.663728: Get host realm for kwttestdc001.kwttestdc.com
>> [16898] 1425327238.663742: Use local host kwttestdc001.kwttestdc.com to
>> get
>> host realm
>> [16898] 1425327238.663749: Look up kwttestdc001.kwttestdc.com in the
>> domain_realm map
>> [16898] 1425327238.663757: Look up .kwttestdc.com in the domain_realm map
>> [16898] 1425327238.663764: Temporary realm is KWTTESTDC.COM
>> [16898] 1425327238.663771: Got realm KWTTESTDC.COM for host
>> kwttestdc001.kwttestdc.com
>> [16898] 1425327238.663792: Got service principal cifs/
>> kwttestdc001.kwttestdc.com at KWTTESTDC.COM
>> [16898] 1425327238.663818: Getting credentials admin at SOLIPA.LOCAL ->
>> cifs/
>> kwttestdc001.kwttestdc.com at KWTTESTDC.COM using ccache
>> KEYRING:persistent:0:0
>> [16898] 1425327238.664257: Retrieving admin at SOLIPA.LOCAL -> cifs/
>> kwttestdc001.kwttestdc.com at KWTTESTDC.COM from KEYRING:persistent:0:0 with
>> result: -1765328243/Matching credential not found
>> [16898] 1425327238.664381: Retrieving admin at SOLIPA.LOCAL ->
>> krbtgt/KWTTESTDC.COM at SOLIPA.LOCAL from KEYRING:persistent:0:0 with
>> result:
>> -1765328243/Matching credential not found
>> [16898] 1425327238.664500: Retrieving admin at SOLIPA.LOCAL ->
>> krbtgt/SOLIPA.LOCAL at SOLIPA.LOCAL from KEYRING:persistent:0:0 with result:
>> 0/Success
>> [16898] 1425327238.664516: Starting with TGT for client realm:
>> admin at SOLIPA.LOCAL -> krbtgt/SOLIPA.LOCAL at SOLIPA.LOCAL
>> [16898] 1425327238.664608: Retrieving admin at SOLIPA.LOCAL ->
>> krbtgt/KWTTESTDC.COM at SOLIPA.LOCAL from KEYRING:persistent:0:0 with
>> result:
>> -1765328243/Matching credential not found
>> [16898] 1425327238.664622: Requesting TGT krbtgt/KWTTESTDC.COM at SOLIPA.
>> LOCAL
>> using TGT krbtgt/SOLIPA.LOCAL at SOLIPA.LOCAL
>> [16898] 1425327238.664690: Generated subkey for TGS request:
>> aes256-cts/F74E
>> [16898] 1425327238.664818: etypes requested in TGS request: aes256-cts,
>> aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
>> [16898] 1425327238.665062: Encoding request body and padata into FAST
>> request
>> [16898] 1425327238.665256: Sending request (1486 bytes) to SOLIPA.LOCAL
>> [16898] 1425327238.665597: Initiating TCP connection to stream
>> 172.16.107.250:88
>> [16898] 1425327238.665802: Sending TCP request to stream
>> 172.16.107.250:88
>> [16898] 1425327238.673061: Received answer from stream 172.16.107.250:88
>> [16898] 1425327238.673285: Response was from master KDC
>> [16898] 1425327238.673342: Decoding FAST response
>> [16898] 1425327238.673574: FAST reply key: aes256-cts/9134
>> [16898] 1425327238.673650: TGS reply is for admin at SOLIPA.LOCAL ->
>> krbtgt/KWTTESTDC.COM at SOLIPA.LOCAL with session key aes256-cts/4F6F
>> [16898] 1425327238.673691: TGS request result: 0/Success
>> [16898] 1425327238.673753: Removing admin at SOLIPA.LOCAL ->
>> krbtgt/KWTTESTDC.COM at SOLIPA.LOCAL from KEYRING:persistent:0:0
>> [16898] 1425327238.673768: Storing admin at SOLIPA.LOCAL ->
>> krbtgt/KWTTESTDC.COM at SOLIPA.LOCAL in KEYRING:persistent:0:0
>> [16898] 1425327238.673933: Received TGT for service realm:
>> krbtgt/KWTTESTDC.COM at SOLIPA.LOCAL
>> [16898] 1425327238.673950: Requesting tickets for cifs/
>> kwttestdc001.kwttestdc.com at KWTTESTDC.COM, referrals on
>> [16898] 1425327238.673998: Generated subkey for TGS request:
>> aes256-cts/8623
>> [16898] 1425327238.674084: etypes requested in TGS request: aes256-cts,
>> aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
>> [16898] 1425327238.674238: Encoding request body and padata into FAST
>> request
>> [16898] 1425327238.674395: Sending request (1531 bytes) to KWTTESTDC.COM
>> [16898] 1425327238.676086: Resolving hostname kwttestdc001.kwttestdc.com.
>> [16898] 1425327238.678096: Resolving hostname kwttestdc001.kwttestdc.com.
>> [16898] 1425327238.678907: Initiating TCP connection to stream
>> 172.16.104.231:88
>> [16898] 1425327238.679404: Sending TCP request to stream
>> 172.16.104.231:88
>> [16898] 1425327238.681292: Received answer from stream 172.16.104.231:88
>> [16898] 1425327238.682088: Response was not from master KDC
>> [16898] 1425327238.682142: TGS request result: -1765328372/KDC policy
>> rejects request
>> [16898] 1425327238.682161: Requesting tickets for cifs/
>> kwttestdc001.kwttestdc.com at KWTTESTDC.COM, referrals off
>> [16898] 1425327238.682212: Generated subkey for TGS request:
>> aes256-cts/50DA
>> [16898] 1425327238.682283: etypes requested in TGS request: aes256-cts,
>> aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
>> [16898] 1425327238.682391: Encoding request body and padata into FAST
>> request
>> [16898] 1425327238.682499: Sending request (1531 bytes) to KWTTESTDC.COM
>> [16898] 1425327238.683871: Resolving hostname kwttestdc001.kwttestdc.com.
>> [16898] 1425327238.684756: Resolving hostname kwttestdc001.kwttestdc.com.
>> [16898] 1425327238.685461: Initiating TCP connection to stream
>> 172.16.104.231:88
>> [16898] 1425327238.685864: Sending TCP request to stream
>> 172.16.104.231:88
>> [16898] 1425327238.687136: Received answer from stream 172.16.104.231:88
>> [16898] 1425327238.687793: Response was not from master KDC
>> [16898] 1425327238.687832: TGS request result: -1765328372/KDC policy
>> rejects request
>> kvno: KDC policy rejects request while getting credentials for cifs/
>> kwttestdc001.kwttestdc.com at KWTTESTDC.COM
>>
> Last line tells that trust is not working.
>
> Read discussion in this thread:
> https://www.redhat.com/archives/freeipa-users/2015-February/msg00397.html
> and follow recommendations there, it was just last week here.
> --
> / Alexander Bokovoy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150303/c76cb6d1/attachment.htm>
More information about the Freeipa-users
mailing list