[Freeipa-users] how can i fix ipa: ERROR: AD DC was unable to reach any IPA domain controller

Ben .T.George bentech4you at gmail.com
Wed Mar 4 07:01:05 UTC 2015 

HI

When i checked on IPA web panel, i can able to see my AD under trusted even
though i got error while adding . ipa trust-add

also

*[root at kwtpocpbis01 ~]# ipa trustdomain-find "kwttestdc.com
<http://kwttestdc.com>"*
*  Domain name: kwttestdc.com <http://kwttestdc.com>*
*  Domain NetBIOS name: KWTTESTDC*
*  Domain Security Identifier: S-1-5-21-3321666283-4099738591-2270060621*
*  Domain enabled: True*
*----------------------------*
*Number of entries returned 1*
*----------------------------*

*[root at kwtpocpbis01 ~]# ipa trust-fetch-domains "kwttestdc.com
<http://kwttestdc.com>"*
*ipa: ERROR: AD domain controller complains about communication sequence.
It may mean unsynchronized time on both sides, for example*

This is the the same story happend with IPA 3.3 before

Regards,
Ben





On Wed, Mar 4, 2015 at 9:06 AM, Ben .T.George <bentech4you at gmail.com> wrote:

> HI
>
> i have re-installed IPA with latest 4.1 version.
>
> installed packages by using
> https://copr.fedoraproject.org/coprs/mkosek/freeipa/ repos
>
> # ipa-server-install went successfully without any error an it says the
> same on log files
>
> *[root at kwtpocpbis01 ~]# kinit admin*
> *Password for admin at SOLIPA.LOCAL:*
> *[root at kwtpocpbis01 ~]# klist*
> *Ticket cache: KEYRING:persistent:0:0*
> *Default principal: admin at SOLIPA.LOCAL*
>
> *Valid starting       Expires              Service principal*
> *03/04/2015 08:36:55  03/05/2015 08:36:51
>  krbtgt/SOLIPA.LOCAL at SOLIPA.LOCAL*
> *[root at kwtpocpbis01 ~]# geten*
> *getenforce  getent*
> *[root at kwtpocpbis01 ~]# getent passwd admin*
> *admin:*:4400000:4400000:Administrator:/home/admin:/bin/bash*
>
>
> *# ipa-adtrust-install --netbios-name=SOLIPA -a Passw0rd* also
> successfully went .
>
> DNS is working fine as expected.
>
> *[root at kwtpocpbis01 ~]# dig SRV _ldap._tcp.kwttestdc.com
> <http://tcp.kwttestdc.com>*
>
> *; <<>> DiG 9.9.4-RedHat-9.9.4-20.el7.centos.pkcs11 <<>> SRV
> _ldap._tcp.kwttestdc.com <http://tcp.kwttestdc.com>*
> *;; global options: +cmd*
> *;; Got answer:*
> *;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26944*
> *;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2*
>
> *;; OPT PSEUDOSECTION:*
> *; EDNS: version: 0, flags:; udp: 4000*
> *;; QUESTION SECTION:*
> *;_ldap._tcp.kwttestdc.com <http://tcp.kwttestdc.com>.      IN      SRV*
>
> *;; ANSWER SECTION:*
> *_ldap._tcp.kwttestdc.com <http://tcp.kwttestdc.com>. 600   IN      SRV
>   0 100 389 kwttestdc001.kwttestdc.com <http://kwttestdc001.kwttestdc.com>.*
>
> *;; ADDITIONAL SECTION:*
> *kwttestdc001.kwttestdc.com <http://kwttestdc001.kwttestdc.com>. 3600 IN
>   A       172.16.104.231*
>
> *;; Query time: 0 msec*
> *;; SERVER: 172.16.104.231#53(172.16.104.231)*
> *;; WHEN: Wed Mar 04 08:41:26 AST 2015*
> *;; MSG SIZE  rcvd: 115*
>
> *[root at kwtpocpbis01 ~]# dig SRV _ldap._tcp.solipa.local*
>
> *; <<>> DiG 9.9.4-RedHat-9.9.4-20.el7.centos.pkcs11 <<>> SRV
> _ldap._tcp.solipa.local*
> *;; global options: +cmd*
> *;; Got answer:*
> *;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6196*
> *;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2*
>
> *;; OPT PSEUDOSECTION:*
> *; EDNS: version: 0, flags:; udp: 4000*
> *;; QUESTION SECTION:*
> *;_ldap._tcp.solipa.local.       IN      SRV*
>
> *;; ANSWER SECTION:*
> *_ldap._tcp.solipa.local. 11944  IN      SRV     0 100 389
> kwtpocpbis01.solipa.local.*
>
> *;; ADDITIONAL SECTION:*
> *kwtpocpbis01.solipa.local. 1200 IN      A       172.16.107.244*
>
> *;; Query time: 2 msec*
> *;; SERVER: 172.16.104.231#53(172.16.104.231)*
> *;; WHEN: Wed Mar 04 08:41:34 AST 2015*
> *;; MSG SIZE  rcvd: 113*
>
> But when i try to trust add AD, i am getting error
>
> [root at kwtpocpbis01 ~]# ipa trust-add --type=ad kwttestdc.com --admin
> adm-ben.george --password
> Active Directory domain administrator's password:
> ipa: ERROR: AD DC was unable to reach any IPA domain controller. Most
> likely it is a DNS or firewall issue
>
> I checked from firewall status on both IPA and AD, and it was in off
> state.
>
> below is the error i got on httpd/error_log while trying AD trust
>
> *[Wed Mar 04 08:50:30.784320 2015] [:error] [pid 6138] ipa: INFO:
> [jsonserver_session] admin at SOLIPA.LOCAL: trust_add(u'kwttestdc.com
> <http://kwttestdc.com>', trust_type=u'ad', realm_admin=u'adm-ben.george',
> realm_passwd=u'********', all=False, raw=False, version=u'2.113'):
> RemoteRetrieveError*
>
> and i have enable debugging on SM, here attaching logs from samba
>
> LOGS can be downloaded from here also :
> https://app.box.com/s/6bx9cgozjyb8h96wx7j6ovvz9w8cp4yl
>
> how can i fix this issue?
>
> Thanks & Regards,
> Ben
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150304/31112143/attachment.htm>

More information about the Freeipa-users mailing list