[Freeipa-users] Firewalld rules to allow AD Join

McEvoy, James james.mcevoy at hp.com
Fri Mar 20 20:59:44 UTC 2015 

Hi FreeIPA Users:

I can only get my new Fedora 21 freeipa to server to setup a trust with Active Directory if I turn off the firewall on the ipa server.   I have looked through all the doc on which ports to open but have had no luck getting the join to work with firewalld running...  Can someone tell me what firewalld is blocking on me?   

  --jim

These are my open services:

	# firewall-cmd --zone=public --list-all
	public (default)
	interfaces: 
	sources: 
	services: dhcpv6-client dns freeipa-ldap freeipa-ldaps http https kerberos kpasswd ldap ldaps mdns ntp samba ssh
	ports: 
	masquerade: no
	forward-ports: 
  	icmp-blocks:

[root at ipa ~]#  ipa trust-add ENAS.NET --type=ad --admin=Administrator --password
Active Directory domain administrator's password: 
ipa: ERROR: AD DC was unable to reach any IPA domain controller. Most likely it is a DNS or firewall issue

As soon as I turn off the firewall it works:

[root at ipa ~]# systemctl stop firewalld
[root at ipa ~]#  ipa trust-add ENAS.NET --type=ad --admin=Administrator --password
Active Directory domain administrator's password: 
-----------------------------------------
Re-established trust to domain "enas.net"
-----------------------------------------
  Realm name: enas.net
  Domain NetBIOS name: ENAS
  Domain Security Identifier: S-1-5-21-1497210546-3194758708-3931123408
  SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8,
                          S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2,
                          S-1-1, S-1-0, S-1-5-19, S-1-5-18
  SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8,
                          S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2,
                          S-1-1, S-1-0, S-1-5-19, S-1-5-18
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified


The only error the I have found is in the samba logs where lsasd has the following:

[2015/03/19 18:19:22.792043,  1] ipa_sam.c:1671(search_krb_princ)
  get_trusted_domain_int: no object found with filter 'krbPrincipalName=krbtgt/ENAS.NET at LNX.LAB'.
[2015/03/19 18:19:23.080328,  1] ipa_sam.c:1671(search_krb_princ)
  get_trusted_domain_int: no object found with filter 'krbPrincipalName=krbtgt/LNX.LAB at ENAS.NET'.


and winbindd-imap has this in it:

[2015/03/20 14:21:14.966125,  1] ../source3/winbindd/idmap.c:202(idmap_init_domain)
  idmap range not specified for domain *
[2015/03/20 14:21:14.968671,  1] ../source3/winbindd/idmap.c:202(idmap_init_domain)
  idmap range not specified for domain *

More information about the Freeipa-users mailing list