[Freeipa-users] how can i fix ipa: ERROR: AD DC was unable to reach any IPA domain controller
Alexander Bokovoy
abokovoy at redhat.com
Wed Mar 4 07:07:06 UTC 2015
On Wed, 04 Mar 2015, Ben .T.George wrote:
>HI
>
>i have re-installed IPA with latest 4.1 version.
>
>installed packages by using
>https://copr.fedoraproject.org/coprs/mkosek/freeipa/ repos
>
># ipa-server-install went successfully without any error an it says the
>same on log files
>
>*[root at kwtpocpbis01 ~]# kinit admin*
>*Password for admin at SOLIPA.LOCAL:*
>*[root at kwtpocpbis01 ~]# klist*
>*Ticket cache: KEYRING:persistent:0:0*
>*Default principal: admin at SOLIPA.LOCAL*
>
>*Valid starting Expires Service principal*
>*03/04/2015 08:36:55 03/05/2015 08:36:51 krbtgt/SOLIPA.LOCAL at SOLIPA.LOCAL*
>*[root at kwtpocpbis01 ~]# geten*
>*getenforce getent*
>*[root at kwtpocpbis01 ~]# getent passwd admin*
>*admin:*:4400000:4400000:Administrator:/home/admin:/bin/bash*
>
>
>*# ipa-adtrust-install --netbios-name=SOLIPA -a Passw0rd* also successfully
>went .
>
>DNS is working fine as expected.
>
>*[root at kwtpocpbis01 ~]# dig SRV _ldap._tcp.kwttestdc.com
><http://tcp.kwttestdc.com>*
>
>*; <<>> DiG 9.9.4-RedHat-9.9.4-20.el7.centos.pkcs11 <<>> SRV
>_ldap._tcp.kwttestdc.com <http://tcp.kwttestdc.com>*
>*;; global options: +cmd*
>*;; Got answer:*
>*;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26944*
>*;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2*
>
>*;; OPT PSEUDOSECTION:*
>*; EDNS: version: 0, flags:; udp: 4000*
>*;; QUESTION SECTION:*
>*;_ldap._tcp.kwttestdc.com <http://tcp.kwttestdc.com>. IN SRV*
>
>*;; ANSWER SECTION:*
>*_ldap._tcp.kwttestdc.com <http://tcp.kwttestdc.com>. 600 IN SRV
>0 100 389 kwttestdc001.kwttestdc.com <http://kwttestdc001.kwttestdc.com>.*
>
>*;; ADDITIONAL SECTION:*
>*kwttestdc001.kwttestdc.com <http://kwttestdc001.kwttestdc.com>. 3600 IN
> A 172.16.104.231*
>
>*;; Query time: 0 msec*
>*;; SERVER: 172.16.104.231#53(172.16.104.231)*
>*;; WHEN: Wed Mar 04 08:41:26 AST 2015*
>*;; MSG SIZE rcvd: 115*
>
>*[root at kwtpocpbis01 ~]# dig SRV _ldap._tcp.solipa.local*
>
>*; <<>> DiG 9.9.4-RedHat-9.9.4-20.el7.centos.pkcs11 <<>> SRV
>_ldap._tcp.solipa.local*
>*;; global options: +cmd*
>*;; Got answer:*
>*;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6196*
>*;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2*
>
>*;; OPT PSEUDOSECTION:*
>*; EDNS: version: 0, flags:; udp: 4000*
>*;; QUESTION SECTION:*
>*;_ldap._tcp.solipa.local. IN SRV*
>
>*;; ANSWER SECTION:*
>*_ldap._tcp.solipa.local. 11944 IN SRV 0 100 389
>kwtpocpbis01.solipa.local.*
>
>*;; ADDITIONAL SECTION:*
>*kwtpocpbis01.solipa.local. 1200 IN A 172.16.107.244*
>
>*;; Query time: 2 msec*
>*;; SERVER: 172.16.104.231#53(172.16.104.231)*
>*;; WHEN: Wed Mar 04 08:41:34 AST 2015*
>*;; MSG SIZE rcvd: 113*
>
>But when i try to trust add AD, i am getting error
>
>[root at kwtpocpbis01 ~]# ipa trust-add --type=ad kwttestdc.com --admin
>adm-ben.george --password
>Active Directory domain administrator's password:
>ipa: ERROR: AD DC was unable to reach any IPA domain controller. Most
>likely it is a DNS or firewall issue
>
>I checked from firewall status on both IPA and AD, and it was in off state.
You really need to find out what is wrong between AD and IPA. The
message above is based on what AD DC reports back to IPA when it tried
to validate the trust and was not able to contact IPA DCs.
We cannot influence ourselves this part, as AD DC uses SRV records in
DNS to find out which domain controller to contact and if it fails to
contact us for any reason (firewall, DNS is broken from AD DC
perspective, routing brings it to a different IP address, etc), it will
complain like that and never proceed.
You may try to run tcpdump or wireshark and see what happens on the
network at the time of 'ipa trust-add', specifically, whom AD DC is
talking to and where it takes a DNS record.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list