[Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER
Morgan Marodin
morgan at marodin.it
Tue Sep 8 13:45:57 UTC 2015
Hi Alexander, thanks for your support.
These are my open ports after running sssd:
# netstat -nltup | grep smbd
tcp 0 0 0.0.0.0:139 0.0.0.0:*
LISTEN 3149/smbd
tcp 0 0 0.0.0.0:445 0.0.0.0:*
LISTEN 3149/smbd
After running SSD error doing trust changes:
# ipa trust-add --type=ad mydomain.com --admin Administrator --password
Active Directory domain administrator's password:
ipa: ERROR: Cannot find specified domain or server name
Logs:
==> /var/log/httpd/error_log <==
[Tue Sep 08 15:14:46.486031 2015] [:error] [pid 2221] ipa: INFO:
[jsonserver_session] admin at IPA.MYDOMAIN.COM: trust_add(u'mydomain.com',
trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********',
realm_server=u'srv01.MYDOMAIN.com', all=False, raw=False,
version=u'2.112'): NotFound
==> /var/log/samba/log.winbindd-idmap <==
[2015/09/08 15:14:46.482578, 1]
../source3/winbindd/idmap.c:202(idmap_init_domain)
idmap range not specified for domain *
[2015/09/08 15:14:46.483715, 1]
../source3/winbindd/idmap.c:202(idmap_init_domain)
idmap range not specified for domain *
But DNS seems ok:
------------------------
# dig SRV _ldap._tcp.ipa.mydomain.com @dc01.mydomain.com
; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7_1.5 <<>> SRV _ldap._
tcp.ipa.mydomain.com @dc01.mydomain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47124
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;_ldap._tcp.ipa.mydomain.com. IN SRV
;; ANSWER SECTION:
_ldap._tcp.ipa.mydomain.com. 83913 IN SRV 0 100 389
srv01.ipa.mydomain.com.
;; ADDITIONAL SECTION:
srv01.ipa.mydomain.com. 3600 IN A 192.168.0.65
;; Query time: 1 msec
;; SERVER: 192.168.0.31#53(192.168.0.31)
;; WHEN: Tue Sep 08 15:39:03 CEST 2015
;; MSG SIZE rcvd: 122
# dig SRV _ldap._tcp.ipa.mydomain.com @localhost
; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7_1.5 <<>> SRV _ldap._
tcp.ipa.mydomain.com @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18190
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_ldap._tcp.ipa.mydomain.com. IN SRV
;; ANSWER SECTION:
_ldap._tcp.ipa.mydomain.com. 86400 IN SRV 0 100 389
srv01.ipa.mydomain.com.
;; AUTHORITY SECTION:
ipa.mydomain.com. 86400 IN NS srv01.ipa.mydomain.com.
;; ADDITIONAL SECTION:
srv01.ipa.mydomain.com. 86400 IN A 192.168.0.65
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Sep 08 15:32:50 CEST 2015
;; MSG SIZE rcvd: 136
------------------------
# dig SRV _ldap._tcp.mydomain.com @dc01.mydomain.com
; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7_1.5 <<>> SRV _ldap._tcp.mydomain.com @
dc01.mydomain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60503
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;_ldap._tcp.mydomain.com. IN SRV
;; ANSWER SECTION:
_ldap._tcp.mydomain.com. 600 IN SRV 0 100 389 dc02.mydomain.com.
_ldap._tcp.mydomain.com. 600 IN SRV 0 100 389 dc01.mydomain.com.
;; ADDITIONAL SECTION:
dc02.mydomain.com. 3600 IN A 192.168.0.15
dc01.mydomain.com. 3600 IN A 192.168.0.31
;; Query time: 1 msec
;; SERVER: 192.168.0.31#53(192.168.0.31)
;; WHEN: Tue Sep 08 15:33:27 CEST 2015
;; MSG SIZE rcvd: 172
# dig SRV _ldap._tcp.mydomain.com @localhost
; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7_1.5 <<>> SRV _ldap._tcp.mydomain.com
@localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36890
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 13, ADDITIONAL: 4
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_ldap._tcp.mydomain.com. IN SRV
;; ANSWER SECTION:
_ldap._tcp.mydomain.com. 600 IN SRV 0 100 389 dc02.mydomain.com.
_ldap._tcp.mydomain.com. 600 IN SRV 0 100 389 dc01.mydomain.com.
;; AUTHORITY SECTION:
. 78287 IN NS c.root-servers.net.
. 78287 IN NS g.root-servers.net.
. 78287 IN NS f.root-servers.net.
. 78287 IN NS e.root-servers.net.
. 78287 IN NS i.root-servers.net.
. 78287 IN NS b.root-servers.net.
. 78287 IN NS d.root-servers.net.
. 78287 IN NS m.root-servers.net.
. 78287 IN NS h.root-servers.net.
. 78287 IN NS a.root-servers.net.
. 78287 IN NS j.root-servers.net.
. 78287 IN NS l.root-servers.net.
. 78287 IN NS k.root-servers.net.
;; ADDITIONAL SECTION:
dc01.mydomain.com. 2702 IN A 192.168.0.31
dc02.mydomain.com. 2702 IN A 192.168.0.15
d.root-servers.net. 78287 IN A 199.7.91.13
;; Query time: 1203 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Sep 08 15:33:12 CEST 2015
;; MSG SIZE rcvd: 399
------------------------
I've noticed idmap range error in logs, could be a Samba/Winbind problem?
Thanks, Morgan
2015-09-08 15:21 GMT+02:00 Alexander Bokovoy <abokovoy at redhat.com>:
> On Tue, 08 Sep 2015, Morgan Marodin wrote:
>
>> I've solved this error, reading this forum:
>> https://www.redhat.com/archives/freeipa-users/2015-July/msg00247.html
>>
>> But now when I try to trust to my Active Directory I see these errors:
>> --------------------
>> # ipa trust-add --type=ad mydomain.com --admin Administrator --password
>> Active Directory domain administrator's password:
>> ipa: ERROR: CIFS server communication error: code "-1073741258",
>> message "The connection was refused" (both may be "None")
>>
>> Here my logs:
>> --------------------
>> ==> /var/log/httpd/error_log <==
>> Failed to connect host 192.168.0.65 on port 135 -
>> NT_STATUS_CONNECTION_REFUSED
>> Failed to connect host 192.168.0.65 (srv01.ipa.mydomain.com) on port 135
>> -
>> NT_STATUS_CONNECTION_REFUSED.
>> [Tue Sep 08 15:01:50.859313 2015] [:error] [pid 2221] ipa: INFO:
>> [jsonserver_kerb] admin at IPA.MYDOMAIN.COM: trust_add(u'mydomain.com',
>> trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********',
>> all=False, raw=False, version=u'2.112'): RemoteRetrieveError
>>
>> ==> /var/log/samba/log.192.168.0.65 <==
>> [2015/09/08 15:01:50.833128, 1]
>> ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
>> Username IPA\admin is invalid on this system
>>
> This is your problem. Does your system have SSSD actually running?
>
>
> List of ports that smbd should be listening on on IPA master:
> # netstat -nltup|grep smbd
> tcp 0 0 0.0.0.0:135 0.0.0.0:* LISTEN
> 12420/smbd tcp 0 0 0.0.0.0:139 0.0.0.0:*
> LISTEN 12417/smbd tcp 0 0 0.0.0.0:445
> 0.0.0.0:* LISTEN 12417/smbd tcp 0 0
> 0.0.0.0:1024 0.0.0.0:* LISTEN 12422/smbd tcp6
> 0 0 :::135 :::* LISTEN 12420/smbd
> tcp6 0 0 :::139 :::* LISTEN
> 12417/smbd tcp6 0 0 :::445 :::*
> LISTEN 12417/smbd tcp6 0 0 :::1024
> :::* LISTEN 12422/smbd
>
> --
> / Alexander Bokovoy
>
--
Morgan Marodin
email: morgan at marodin.it
mobile: +39.3477829069
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150908/4b6abb4f/attachment.htm>
More information about the Freeipa-users
mailing list