[Freeipa-users] Can't establish trust with 2008 AD

Fri Jun 10 04:14:28 UTC 2016

Please don't answer directly, use mailing list.

On Thu, 09 Jun 2016, pgb205 wrote:
>Alexander,
>
>As far as I can say ipv6 is enabled in the kernel, as the tutorial
>suggests, although none of the interfaces have ipv6 addresses.
>
>For example,
> ip a | grep inet6
>    inet6 ::1/128 scope host
>
>and
>ip -6 address show
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536
>    inet6 ::1/128 scope host
>
>root@:~# cat /proc/sys/net/ipv6/conf/all/disable_ipv6
>0
>root@:~# cat /proc/sys/net/ipv6/conf/default/disable_ipv6
>0
Does any of your DNS servers respond with IPv6 addresses for AD DCs?
glibc DNS resolver prefers IPv6 over IPv4 in the default configuration
and if that happens, without IPv6 routes it becomes unreachable.

You can control how DNS resolver works with /etc/gai.conf (does not
exist by default, see man page gai.conf for details) and can set IPv4
preference over IPv6 there, either globally or per host.

>
>
>      From: Alexander Bokovoy <abokovoy at redhat.com>
> To: pgb205 <pgb205 at yahoo.com>
>Cc: "Freeipa-users at redhat.com" <Freeipa-users at redhat.com>
> Sent: Thursday, June 9, 2016 4:30 PM
> Subject: Re: [Freeipa-users] Can't establish trust with 2008 AD
>
>On Thu, 09 Jun 2016, pgb205 wrote:
>>The setup is:AD 2008 domain,Latest version of FreeIpa with integrated
>>DNS,As the AD domain is not known to any DNS servers on the network I
>>have created a stub zone in Freeipa integrated dns server
>>addomain.com,and created A-record for DC.addomain.comas well as
>>_ldap.tcp.addomain.com and _kerberos.udp.addomain.comand checked with
>>dig that they resolve correctly, 138/139/145/389 are opened between the
>>servers on both tcp and udp portsipv6 enabled on the FreeIpa server. I
>>am using pre-shared secret to establish the trust
>>Run:ipa trust-add --type=ad addomain.com --trust-secret  <pre-shared key>
>>and receive:
>>ipa: ERROR: CIFS server communication error: code "None",                  message "NT_STATUS_IO_TIMEOUT" (both may be "None")
>>
>>I've enabled the logs as described in debugging section (I would be glad to forward the whole thing if needed)However, relevant error that I see is :
>>finddcs: DNS SRV response 0 at '<ipaddr>'finddcs: performing CLDAP
>>query on <ipaddr>s4_tevent: Added timed event "tevent_req_timedout":
>>0x7f21302a8b10s4_tevent: Schedule immediate event "tevent_req_trigger":
>>0x7f2130025090s4_tevent: Run immediate event "tevent_req_trigger":
>>0x7f2130025090s4_tevent: Added timed event "tevent_req_timedout":
>>0x7f213025cb90s4_tevent: Running timer event 0x7f213025cb90
>>"tevent_req_timedout"s4_tevent: Schedule immediate event
>>"tevent_req_trigger": 0x7f2130045b50s4_tevent: Ending timer event
>>0x7f213025cb90 "tevent_req_timedout"s4_tevent: Run immediate event
>>"tevent_req_trigger": 0x7f2130045b50s4_tevent: Added timed event
>>"tevent_req_timedout": 0x7f213025cb90s4_tevent: Running timer event
>>0x7f213025cb90 "tevent_req_timedout"s4_tevent: Schedule immediate event
>>"tevent_req_trigger": 0x7f213001d230s4_tevent: Ending timer event
>>0x7f213025cb90 "tevent_req_timedout"s4_tevent: Run immediate event
>>"tevent_req_trigger": 0x7f213001d230s4_tevent: Added timed event
>>"tevent_req_timedout": 0x7f213025cb90s4_tevent: Running timer event
>>0x7f21302a8b10 "tevent_req_timedout"s4_tevent: Destroying timer event
>>0x7f213025cb90 "tevent_req_timedout"finddcs: No matching CLDAP server
>>founds4_tevent: Ending timer event 0x7f21302a8b10
>>"tevent_req_timedout"[Thu Jun 09 20:39:38.703506 2016] [:error] [pid
>>2503] ipa: INFO: [jsonserver_session] admin@<ipadomain.com>:
>>trust_add(u'addomain.com', trust_type=u'ad', trust_secret=u'********',
>>all=False, raw=False, version=u'2.156'): RemoteRetrieveError Once again
>>I would be glad to provide entire logs if needed. But would be grateful
>>for suggestions on how to resolve the above error.
>Do you have IPv6 disabled?
>www.freeipa.org/page/Active_Directory_trust_setup#IPv6_stack_usage
>-- 
>/ Alexander Bokovoy
>
>
>

-- 
/ Alexander Bokovoy