[Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER

Morgan Marodin morgan at marodin.it
Thu Sep 10 06:00:58 UTC 2015 

Sorry, I've read ipv6.disable=1 in this article
http://www.freeipa.org/page/Active_Directory_trust_setup#Prerequisites, I
understood wrong this prerequisite and went directly to the next chapter,
in my mind I was conviced that IPv6 must be disabled :)

I will try with IPv6 enabled, and then I will tell you if it is ok.

Thanks, Morgan

2015-09-09 18:53 GMT+02:00 Alexander Bokovoy <abokovoy at redhat.com>:

> On Wed, 09 Sep 2015, Morgan Marodin wrote:
>
>> Hi Alexander
>>
>> IPv6 stack is disabled on my RHEL like distro, v 7 x64, but is enable on
>> my
>> WIndows 2012.
>> I have read in a freeipa article to disable IPv6.
>>
> Sorry, and why you did decide to disable IPv6 stack? FreeIPA article
> explicitly talks about not disabling IPv6.
>
> Samba and FreeIPA LDAP code require working IPv6 stack on the machine.
> You can have a system without IPv6 addresses but do not disable the
> infrastructure. All contemporary networking applications are written
> with the idea that you can use IPv6-only functions and work on both IPv4
> and IPv6 at the same time. See ipv6(7) manual page:
>
> ----
> IPv4 connections can be handled with the v6 API by using the
> v4-mapped-on-v6 address type; thus a program needs to support only this
> API type to support both protocols. This is handled transparently by the
> address handling functions in the C library.
>
> IPv4 and IPv6 share the local port space.  When you get an IPv4
> connection or packet to a IPv6 socket, its source address will be mapped
> to v6 and it will be mapped to v6.
> ----
>
>
>
> I've 2 Domain Controller with Windows Server 2012 and (at this time) one
>> new freeipa server, just installed, in the same network.
>> AD REALM is MYDOMAIN.COM and IPA REALM is IPA.MYDOMAIN.COM.
>> I've installed bind in IPA that contains only ipa.mydomain.com zone.
>> In AD servers is configured mydomain.com zone, with ipa.mydomain.com
>> delegation to linux server (192.168.0.65).
>>
>
>
> Do you have other question of my setup?
>> Let me know, thanks.
>> Morgan
>>
>>
>> 2015-09-09 16:01 GMT+02:00 Alexander Bokovoy <abokovoy at redhat.com>:
>>
>> On Wed, 09 Sep 2015, Morgan Marodin wrote:
>>>
>>> Hi Alexander.
>>>>
>>>> Ok, after enabling debugging I have these logs:
>>>> -------------------------------------------------------------------
>>>> ==> /var/log/httpd/error_log <==
>>>> INFO: Current debug levels:
>>>>  all: 100
>>>>  tdb: 100
>>>>  printdrivers: 100
>>>>  lanman: 100
>>>>  smb: 100
>>>>  rpc_parse: 100
>>>>  rpc_srv: 100
>>>>  rpc_cli: 100
>>>>  passdb: 100
>>>>  sam: 100
>>>>  auth: 100
>>>>  winbind: 100
>>>>  vfs: 100
>>>>  idmap: 100
>>>>  quota: 100
>>>>  acls: 100
>>>>  locking: 100
>>>>  msdfs: 100
>>>>  dmapi: 100
>>>>  registry: 100
>>>>  scavenger: 100
>>>>  dns: 100
>>>>  ldb: 100
>>>> pm_process() returned Yes
>>>> GENSEC backend 'gssapi_spnego' registered
>>>> GENSEC backend 'gssapi_krb5' registered
>>>> GENSEC backend 'gssapi_krb5_sasl' registered
>>>> GENSEC backend 'sasl-DIGEST-MD5' registered
>>>> GENSEC backend 'spnego' registered
>>>> GENSEC backend 'schannel' registered
>>>> GENSEC backend 'sasl-EXTERNAL' registered
>>>> GENSEC backend 'ntlmssp' registered
>>>> Using binding ncacn_np:srv01.ipa.mydomain.com[,]
>>>> s4_tevent: Added timed event "dcerpc_connect_timeout_handler":
>>>> 0x7f8a3c224990
>>>> s4_tevent: Added timed event "composite_trigger": 0x7f8a3c042170
>>>> s4_tevent: Added timed event "composite_trigger": 0x7f8a3c25b4a0
>>>> s4_tevent: Running timer event 0x7f8a3c042170 "composite_trigger"
>>>> s4_tevent: Destroying timer event 0x7f8a3c25b4a0 "composite_trigger"
>>>> Mapped to DCERPC endpoint \pipe\lsarpc
>>>> added interface eth0 ip=192.168.0.65 bcast=192.168.0.255
>>>> netmask=255.255.255.0
>>>> added interface eth0 ip=192.168.0.65 bcast=192.168.0.255
>>>> netmask=255.255.255.0
>>>>
>>>> Do you have IPv6 stack enabled?
>>>
>>> [2015/09/09 08:45:05.032211, 50, pid=11196, effective(0, 0), real(0, 0)]
>>>
>>>> ../lib/util/tevent_debug.c:63(samba_tevent_debug)
>>>>  s3_tevent: Schedule immediate event "tevent_req_trigger":
>>>> 0x7f7118a92cf0
>>>> [2015/09/09 08:45:05.032282, 50, pid=11196, effective(0, 0), real(0,
>>>> 0)]
>>>> ../lib/util/tevent_debug.c:63(samba_tevent_debug)
>>>>  s3_tevent: Run immediate event "tevent_req_trigger": 0x7f7118a92cf0
>>>> [2015/09/09 08:45:05.032353,  4, pid=11196, effective(217400000,
>>>> 217400000), real(217400000, 0)]
>>>> ../source3/smbd/sec_ctx.c:424(pop_sec_ctx)
>>>>  pop_sec_ctx (217400000, 217400000) - sec_ctx_stack_ndx = 0
>>>> [2015/09/09 08:45:05.032421,  2, pid=11196, effective(217400000,
>>>> 217400000), real(217400000, 0), class=rpc_srv]
>>>> ../source3/rpc_server/rpc_ncacn_np.c:630(make_external_rpc_pipe_p)
>>>>  tstream_npa_connect_recv  to /run/samba/ncalrpc/np for pipe lsarpc and
>>>> user IPA\admin failed: No such file or directory
>>>>
>>>> I'm particularly worrying about his one -- /run/samba/ncalrpc/np pipe
>>> has to be there.
>>>
>>> Can you explain what is your setup in detail?
>>>
>>> --
>>> / Alexander Bokovoy
>>>
>>>
>>
>>
>> --
>> Morgan Marodin
>> email: morgan at marodin.it
>> mobile: +39.3477829069
>>
>
> --
> / Alexander Bokovoy
>



-- 
Morgan Marodin
email: morgan at marodin.it
mobile: +39.3477829069
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150910/5e89b21c/attachment.htm>

More information about the Freeipa-users mailing list