[Freeipa-users] how can i fix ipa: ERROR: AD DC was unable to reach any IPA domain controller

Wed Mar 4 06:06:17 UTC 2015

HI

i have re-installed IPA with latest 4.1 version.

installed packages by using
https://copr.fedoraproject.org/coprs/mkosek/freeipa/ repos

# ipa-server-install went successfully without any error an it says the
same on log files

*[root at kwtpocpbis01 ~]# kinit admin*
*Password for admin at SOLIPA.LOCAL:*
*[root at kwtpocpbis01 ~]# klist*
*Ticket cache: KEYRING:persistent:0:0*
*Default principal: admin at SOLIPA.LOCAL*

*Valid starting       Expires              Service principal*
*03/04/2015 08:36:55  03/05/2015 08:36:51  krbtgt/SOLIPA.LOCAL at SOLIPA.LOCAL*
*[root at kwtpocpbis01 ~]# geten*
*getenforce  getent*
*[root at kwtpocpbis01 ~]# getent passwd admin*
*admin:*:4400000:4400000:Administrator:/home/admin:/bin/bash*

*# ipa-adtrust-install --netbios-name=SOLIPA -a Passw0rd* also successfully
went .

DNS is working fine as expected.

*[root at kwtpocpbis01 ~]# dig SRV _ldap._tcp.kwttestdc.com
<http://tcp.kwttestdc.com>*

*; <<>> DiG 9.9.4-RedHat-9.9.4-20.el7.centos.pkcs11 <<>> SRV
_ldap._tcp.kwttestdc.com <http://tcp.kwttestdc.com>*
*;; global options: +cmd*
*;; Got answer:*
*;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26944*
*;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2*

*;; OPT PSEUDOSECTION:*
*; EDNS: version: 0, flags:; udp: 4000*
*;; QUESTION SECTION:*
*;_ldap._tcp.kwttestdc.com <http://tcp.kwttestdc.com>.      IN      SRV*

*;; ANSWER SECTION:*
*_ldap._tcp.kwttestdc.com <http://tcp.kwttestdc.com>. 600   IN      SRV
0 100 389 kwttestdc001.kwttestdc.com <http://kwttestdc001.kwttestdc.com>.*

*;; ADDITIONAL SECTION:*
*kwttestdc001.kwttestdc.com <http://kwttestdc001.kwttestdc.com>. 3600 IN
  A       172.16.104.231*

*;; Query time: 0 msec*
*;; SERVER: 172.16.104.231#53(172.16.104.231)*
*;; WHEN: Wed Mar 04 08:41:26 AST 2015*
*;; MSG SIZE  rcvd: 115*

*[root at kwtpocpbis01 ~]# dig SRV _ldap._tcp.solipa.local*

*; <<>> DiG 9.9.4-RedHat-9.9.4-20.el7.centos.pkcs11 <<>> SRV
_ldap._tcp.solipa.local*
*;; global options: +cmd*
*;; Got answer:*
*;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6196*
*;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2*

*;; OPT PSEUDOSECTION:*
*; EDNS: version: 0, flags:; udp: 4000*
*;; QUESTION SECTION:*
*;_ldap._tcp.solipa.local.       IN      SRV*

*;; ANSWER SECTION:*
*_ldap._tcp.solipa.local. 11944  IN      SRV     0 100 389
kwtpocpbis01.solipa.local.*

*;; ADDITIONAL SECTION:*
*kwtpocpbis01.solipa.local. 1200 IN      A       172.16.107.244*

*;; Query time: 2 msec*
*;; SERVER: 172.16.104.231#53(172.16.104.231)*
*;; WHEN: Wed Mar 04 08:41:34 AST 2015*
*;; MSG SIZE  rcvd: 113*

But when i try to trust add AD, i am getting error

[root at kwtpocpbis01 ~]# ipa trust-add --type=ad kwttestdc.com --admin
adm-ben.george --password
Active Directory domain administrator's password:
ipa: ERROR: AD DC was unable to reach any IPA domain controller. Most
likely it is a DNS or firewall issue

I checked from firewall status on both IPA and AD, and it was in off state.

below is the error i got on httpd/error_log while trying AD trust

*[Wed Mar 04 08:50:30.784320 2015] [:error] [pid 6138] ipa: INFO:
[jsonserver_session] admin at SOLIPA.LOCAL: trust_add(u'kwttestdc.com
<http://kwttestdc.com>', trust_type=u'ad', realm_admin=u'adm-ben.george',
realm_passwd=u'********', all=False, raw=False, version=u'2.113'):
RemoteRetrieveError*

and i have enable debugging on SM, here attaching logs from samba

LOGS can be downloaded from here also :
https://app.box.com/s/6bx9cgozjyb8h96wx7j6ovvz9w8cp4yl

how can i fix this issue?

Thanks & Regards,
Ben
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150304/d39db4b8/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipa.tar
Type: application/x-tar
Size: 30720 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150304/d39db4b8/attachment.tar>