[Freeipa-users] Firewalld rules to allow AD Join
McEvoy, James
james.mcevoy at hp.com
Fri Mar 20 20:59:44 UTC 2015
Hi FreeIPA Users:
I can only get my new Fedora 21 freeipa to server to setup a trust with Active Directory if I turn off the firewall on the ipa server. I have looked through all the doc on which ports to open but have had no luck getting the join to work with firewalld running... Can someone tell me what firewalld is blocking on me?
--jim
These are my open services:
# firewall-cmd --zone=public --list-all
public (default)
interfaces:
sources:
services: dhcpv6-client dns freeipa-ldap freeipa-ldaps http https kerberos kpasswd ldap ldaps mdns ntp samba ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
[root at ipa ~]# ipa trust-add ENAS.NET --type=ad --admin=Administrator --password
Active Directory domain administrator's password:
ipa: ERROR: AD DC was unable to reach any IPA domain controller. Most likely it is a DNS or firewall issue
As soon as I turn off the firewall it works:
[root at ipa ~]# systemctl stop firewalld
[root at ipa ~]# ipa trust-add ENAS.NET --type=ad --admin=Administrator --password
Active Directory domain administrator's password:
-----------------------------------------
Re-established trust to domain "enas.net"
-----------------------------------------
Realm name: enas.net
Domain NetBIOS name: ENAS
Domain Security Identifier: S-1-5-21-1497210546-3194758708-3931123408
SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8,
S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2,
S-1-1, S-1-0, S-1-5-19, S-1-5-18
SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8,
S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2,
S-1-1, S-1-0, S-1-5-19, S-1-5-18
Trust direction: Two-way trust
Trust type: Active Directory domain
Trust status: Established and verified
The only error the I have found is in the samba logs where lsasd has the following:
[2015/03/19 18:19:22.792043, 1] ipa_sam.c:1671(search_krb_princ)
get_trusted_domain_int: no object found with filter 'krbPrincipalName=krbtgt/ENAS.NET at LNX.LAB'.
[2015/03/19 18:19:23.080328, 1] ipa_sam.c:1671(search_krb_princ)
get_trusted_domain_int: no object found with filter 'krbPrincipalName=krbtgt/LNX.LAB at ENAS.NET'.
and winbindd-imap has this in it:
[2015/03/20 14:21:14.966125, 1] ../source3/winbindd/idmap.c:202(idmap_init_domain)
idmap range not specified for domain *
[2015/03/20 14:21:14.968671, 1] ../source3/winbindd/idmap.c:202(idmap_init_domain)
idmap range not specified for domain *
More information about the Freeipa-users
mailing list