[Freeipa-users] FreeIPA 4.3.0 Trust with AD Fails with RemoteRetrieveError
Alexander Bokovoy
abokovoy at redhat.com
Wed Jan 27 15:55:36 UTC 2016
On Wed, 27 Jan 2016, Nathan Peters wrote:
>I'm trying to create a trust with AD on FreeIPA 4.3.0 domain at domain level 1.
>
>When I try though the cli I get this error :
>ipa: ERROR: communication with CIFS server was unsuccessful
>
>When I try through the web ui I get :
>IPA Error 4016: RemoteRetrieveError
>
>Following debugging steps and setting loglevel to 100 gives a whole pile of stuff that doesn't seem to indicate the actual cause of the failure.
>
>It ends with these errors :
>
> lsa_lsaRSetForestTrustInformation: struct lsa_lsaRSetForestTrustInformation
> out: struct lsa_lsaRSetForestTrustInformation
> collision_info : *
> collision_info : NULL
> result : NT_STATUS_INVALID_PARAMETER
>rpc reply data:
>[0000] 00 00 00 00 0D 00 00 C0 ........
> lsa_QueryTrustedDomainInfoByName: struct lsa_QueryTrustedDomainInfoByName
> in: struct lsa_QueryTrustedDomainInfoByName
> handle : *
> handle: struct policy_handle
> handle_type : 0x00000000 (0)
> uuid : 0000000d-0000-0000-a856-ba5c507f0000
> trusted_domain : *
> trusted_domain: struct lsa_String
> length : 0x002c (44)
> size : 0x002c (44)
> string : *
> string : 'office.mydomain.net'
> level : LSA_TRUSTED_DOMAIN_INFO_FULL_INFO (8)
>rpc request data:
>
> lsa_QueryTrustedDomainInfoByName: struct lsa_QueryTrustedDomainInfoByName
> out: struct lsa_QueryTrustedDomainInfoByName
> info : *
> info : NULL
> result : NT_STATUS_OBJECT_NAME_NOT_FOUND
>rpc reply data:
>[0000] 00 00 00 00 34 00 00 C0 ....4...
> lsa_CreateTrustedDomainEx2: struct lsa_CreateTrustedDomainEx2
> in: struct lsa_CreateTrustedDomainEx2
> policy_handle : *
> policy_handle: struct policy_handle
> handle_type : 0x00000000 (0)
> uuid : 0000000d-0000-0000-a856-ba5c507f0000
> info : *
> info: struct lsa_TrustDomainInfoInfoEx
> domain_name: struct lsa_StringLarge
> length : 0x002c (44)
> size : 0x002e (46)
> string : *
> string : 'office.mydomain.net'
> netbios_name: struct lsa_StringLarge
> length : 0x000c (12)
> size : 0x000e (14)
> string : *
> string : 'OFFICE'
> sid : *
> sid : S-1-5-21-3104402935-1443057687-1106712449
> trust_direction : 0x00000001 (1)
> 1: LSA_TRUST_DIRECTION_INBOUND
> 0: LSA_TRUST_DIRECTION_OUTBOUND
> trust_type : LSA_TRUST_TYPE_UPLEVEL (2)
> trust_attributes : 0x00000000 (0)
> 0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE
> 0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY
> 0: LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN
> 0: LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
> 0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION
> 0: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST
> 0: LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL
> 0: LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION
> auth_info_internal : *
> auth_info_internal: struct lsa_TrustDomainInfoAuthInfoInternal
> auth_blob: struct lsa_DATA_BUF2
> size : 0x00000440 (1088)
> data : *
> data: ARRAY(1088)
>
>
>
> lsa_CreateTrustedDomainEx2: struct lsa_CreateTrustedDomainEx2
> out: struct lsa_CreateTrustedDomainEx2
> trustdom_handle : *
> trustdom_handle: struct policy_handle
> handle_type : 0x00000000 (0)
> uuid : 00000000-0000-0000-0000-000000000000
> result : NT_STATUS_UNSUCCESSFUL
>rpc reply data:
>[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
>[0010] 00 00 00 00 01 00 00 C0 ........
>[Tue Jan 26 21:59:34.411382 2016] [wsgi:error] [pid 29762] ipa: INFO:
>[jsonserver_kerb] admin at DEV-MYDOMAIN.NET:
>trust_add(u'office.mydomain.net', trust_type=u'ad',
>realm_admin=u'Administrator', realm_passwd=u'********', all=False,
>raw=False, version=u'2.163'): RemoteRetrieveError
I need to have a better picture of your AD topology. It is unclear why
AD DC chosen for communication denies trust creation request but there
might be multiple reasons.
Unfortunately, I'll have no time for investigation until February 12th
or so.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list