[Freeipa-users] FreeIPA problem with AD trust setup

Sumit Bose sbose at redhat.com
Wed Feb 24 14:34:59 UTC 2016 

On Wed, Feb 24, 2016 at 01:30:11PM +0100, Daniel wrote:
> Hello,
> 
> I'm trying to setup trust with our AD domain in test environment, but I've
> got an error:
> ipa trust-add --type=ad test.local --two-way=1 --admin Administrator
> --password
> 
> ipa: ERROR: CIFS server communication error: code "-1073741725",
> message "User exists" (both may be "None").
> 
> After enabling log level = 100 in /var/log/httpd/error_log I have:
> s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fcca804f880
> s4_tevent: Run immediate event "tevent_req_trigger": 0x7fcca804f880
>      lsa_CreateTrustedDomainEx2: struct lsa_CreateTrustedDomainEx2
>         out: struct lsa_CreateTrustedDomainEx2
>             trustdom_handle          : *
>                 trustdom_handle: struct policy_handle
>                     handle_type              : 0x00000000 (0)
>                     uuid                     :
> 00000000-0000-0000-0000-000000000000
>             result                   : NT_STATUS_USER_EXISTS
> rpc reply data:
> [0000] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
> [0010] 00 00 00 00 63 00 00 C0                            ....c...
> [Wed Feb 24 12:44:21.039930 2016] [:error] [pid 17911] ipa: INFO:
> [jsonserver_kerb] admin at LINUX.TEST.LOCAL: trust_add(u'test.local',
> trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********',
> bidirectional=True, all=False, raw=False, version=u'2.156'):
> RemoteRetrieveError

The error indicates that there already is a trust on the AD side to a
domain which either has linux.test.local as domain name or the same
NetBIOS domain name. The default NetBIOS domain name in your case would
be LINUX.

You can check the names of the trusted domains with e.g.

ldapsearch -H ldap://ad-server.ad.domain' -b 'dc=ad,dc=domain' 'objectClass=trustedDomain' name flatName trustPartner

If you cannot find a collision here there might be a collision with the
NetBIOS name of a host. You can check this with

ldapsearch -H ldap://ad-server.ad.domain -b 'dc=ad,dc=domain' 'objectClass=computer'  sAMAccountName

HTH

bye,
Sumit

> 
> FreeIPA domain is configured as subdomain linux.test.local of our main
> domain test.local (on DNS I've added NS records for subdomain delegation).
> 
> FreeIPA server:
> CentOS 7.2
> ipa-server-4.2.0-15.el7_2.6.x86_64
> ipa-server-trust-ad-4.2.0-15.el7_2.6.x86_64
> 
> AD server:
> Windows 2012 with about 2k users.
> 
> --
> Regards
> Daniel Kubiak
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list