[Freeipa-users] AD Trust Issues
Matt Wells
matt.wells at mosaic451.com
Fri Sep 11 16:36:51 UTC 2015
I've been working on an AD trust with our freeipa servers but have run into
some of the same issues others have had.
It's well documented here however I feel I've mitigated these -
https://bugzilla.redhat.com/show_bug.cgi?id=1219832
Freeipa Servers are Fedora 22 / freeipa-server-4.2.0
The Samba version i'm on is well past the patched version. It seems the
patch is in samba-4.2.1-7.fc22 and I'm on samba-4.2.3-0 (assuming the patch
is in this version).
I run
# echo Password123 | ipa trust-add --type=ad ad.example.com --trust-secret
ipa: ERROR: CIFS server configuration does not allow access to \\pipe\lsarpc
I've been using "http://www.freeipa.org/page/Active_Directory_trust_setup"
as a guide.
Our only domains are
- EXAMPLE.COM (web pages only)
--- LX.EXAMPLE.COM ( IPA )
--- AD.EXAMPLE.COM ( Active Directory )
My configuration is on separate domains. AD.EXAMPLE.COM is for Active
Directory and forwards all DNS to IPA ( LX.EXAMPLE.COM ) and those network
requests then forward to the internet.
Our AD is only to provide GPOs to desktops, everything else is run off IPA.
I've run through the 'ipa-adtrust-install' but to no avail; after running
through that is when I get the CIFS error.
I've made the network guys prove to me the ports are open. I've actually
seen a permit any any on the network gear, dropped the firewalls on AD and
IPA and moved to permissive mode for testing. All of this to just check
off the troubleshooting boxes.
NTP is good, everyone is pointed to the internal and are UTC.
I'm sure I've forgotten something, thanks to everyone for reading this.
Really appreciate it.
My versions are listed below -
freeipa-admintools-4.2.0-0.fc22.x86_64
freeipa-client-4.2.0-0.fc22.x86_64
freeipa-python-4.2.0-0.fc22.x86_64
freeipa-server-4.2.0-0.fc22.x86_64
freeipa-server-trust-ad-4.2.0-0.fc22.x86_64
samba-4.2.3-0.fc22.x86_64
samba-client-4.2.3-0.fc22.x86_64
samba-client-libs-4.2.3-0.fc22.x86_64
samba-common-4.2.3-0.fc22.noarch
samba-common-libs-4.2.3-0.fc22.x86_64
samba-common-tools-4.2.3-0.fc22.x86_64
samba-dc-4.2.3-0.fc22.x86_64
samba-dc-libs-4.2.3-0.fc22.x86_64
samba-libs-4.2.3-0.fc22.x86_64
samba-python-4.2.3-0.fc22.x86_64
samba-winbind-4.2.3-0.fc22.x86_64
samba-winbind-clients-4.2.3-0.fc22.x86_64
samba-winbind-modules-4.2.3-0.fc22.x86_64
[root at server1 /]# systemctl status smb
● smb.service - Samba SMB Daemon
Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled; vendor
preset: disabled)
Active: active (running) since Fri 2015-09-11 14:43:50 UTC; 23min ago
Main PID: 31581 (smbd)
Status: "smbd: ready to serve connections..."
CGroup: /system.slice/smb.service
└─31581 /usr/sbin/smbd
Sep 11 14:49:40 server1.lx.example.com smbd[32207]: GSSAPI client step 1
Sep 11 14:49:40 server1.lx.example.com smbd[32207]: GSSAPI client step 2
Sep 11 14:50:03 server1.lx.example.com smbd[32235]: GSSAPI client step 1
Sep 11 14:50:03 server1.lx.example.com smbd[32235]: GSSAPI client step 1
Sep 11 14:50:03 server1.lx.example.com smbd[32235]: GSSAPI client step 1
Sep 11 14:50:03 server1.lx.example.com smbd[32235]: GSSAPI client step 2
Sep 11 14:54:46 server1.lx.example.com smbd[32276]: GSSAPI client step 1
Sep 11 14:54:46 server1.lx.example.com smbd[32276]: GSSAPI client step 1
Sep 11 14:54:46 server1.lx.example.com smbd[32276]: GSSAPI client step 1
Sep 11 14:54:46 server1.lx.example.com smbd[32276]: GSSAPI client step 2
[root at server1 /]# systemctl status nmb
● nmb.service - Samba NMB Daemon
Loaded: loaded (/usr/lib/systemd/system/nmb.service; disabled; vendor
preset: disabled)
Active: active (running) since Fri 2015-09-11 14:49:56 UTC; 17min ago
Main PID: 32220 (nmbd)
Status: "nmbd: ready to serve connections..."
CGroup: /system.slice/nmb.service
└─32220 /usr/sbin/nmbd
Sep 11 14:50:04 server1.lx.example.com nmbd[32220]:
Sep 11 14:50:04 server1.lx.example.com nmbd[32220]: Samba server
LAS01003007 is now a domain master browser for workgroup AXIEXAMPLE on
subnet 192.168.1.10
Sep 11 14:50:04 server1.lx.example.com nmbd[32220]:
Sep 11 14:50:04 server1.lx.example.com nmbd[32220]: *****
Sep 11 14:50:19 server1.lx.example.com nmbd[32220]: [2015/09/11
14:50:19.307616, 0]
../source3/nmbd/nmbd_become_lmb.c:397(become_local_master_stage2)
Sep 11 14:50:19 server1.lx.example.com nmbd[32220]: *****
Sep 11 14:50:19 server1.lx.example.com nmbd[32220]:
Sep 11 14:50:19 server1.lx.example.com nmbd[32220]: Samba name server
LAS01003007 is now a local master browser for workgroup AXIMOSAIC451 on
subnet 10.100.50.37
Sep 11 14:50:19 server1.lx.example.com nmbd[32220]:
Sep 11 14:50:19 server1.lx.example.com nmbd[32220]: *****
[root at server1 /]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
smb Service: RUNNING
winbind Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
[root at server1 ~]# ss -tnl
State Recv-Q Send-Q
Local Address:Port
Peer
Address:Port
LISTEN 0 50
*:139
*:*
LISTEN 0 2
*:749
*:*
LISTEN 0 100
*:8080
*:*
LISTEN 0 5
*:464
*:*
LISTEN 0 128
*:80
*:*
LISTEN 0 10
192.168.1.10:53
*:*
LISTEN 0 10
127.0.0.1:53
*:*
LISTEN 0 128
*:22
*:*
LISTEN 0 5
*:88
*:*
LISTEN 0 128
127.0.0.1:953
*:*
LISTEN 0 100
*:8443
*:*
LISTEN 0 128
*:443
*:*
LISTEN 0 50
*:445
*:*
LISTEN 0 100
*:1024
*:*
LISTEN 0 5
*:5666
*:*
LISTEN 0 1
127.0.0.1:8005
*:*
LISTEN 0 50
*:135
*:*
LISTEN 0 100
127.0.0.1:8009
*:*
LISTEN 0 50
:::139
:::*
LISTEN 0 2
:::749
:::*
LISTEN 0 5
:::464
:::*
LISTEN 0 10
:::53
:::*
LISTEN 0 128
:::22
:::*
LISTEN 0 5
:::88
:::*
LISTEN 0 128
:::636
:::*
LISTEN 0 50
:::445
:::*
LISTEN 0 100
:::1024
:::*
LISTEN 0 5
:::5666
:::*
LISTEN 0 128
:::9090
:::*
LISTEN 0 128
:::389
:::*
LISTEN 0 50
:::135
:::*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150911/f145bef6/attachment.htm>
More information about the Freeipa-users
mailing list