[Freeipa-users] Can't establish trust with 2008 AD

pgb205 pgb205 at yahoo.com
Fri Jun 10 04:35:56 UTC 2016 

Sorry about replying privately.
dig provides ipv4 addresses as expected.
For example :
root at ipaserver.ipadomain.com:~#  dig SRV _ldap._tcp.addomain.com#this is run on the FreeIPA where idm is installed as well as integrated DNS with the addomain.com stub zone that points to #dc.addomain.com;; QUESTION SECTION:
;_ldap._tcp.addomain.com.    IN      SRV
;; ANSWER SECTION:_ldap._tcp.addomain.com. 86400 IN    SRV     0 100 389 dc.addomain.com.
;; AUTHORITY SECTION:addomain.com.        86400   IN      NS      ipadomain.com

But just in case I have edited /etc/gai.conf with the following
label       ::1/128        0label       ::/0           1label       2002::/16      2label       ::/96          3label       ::ffff:0:0/96  4precedence  ::1/128        50precedence  ::/0           40precedence  2002::/16      30precedence  ::/96          20precedence  ::ffff:0:0/96  100
and restarted ipa and dns
ipactl stop/start and rndc reload

The trust setup still results in
Shared secret for the trust:: ERROR: CIFS server communication error: code "None",                  message "NT_STATUS_IO_TIMEOUT" (both may be "None")
If you want I can provide with logs.

thanks for the help      From: Alexander Bokovoy <abokovoy at redhat.com>
 To: pgb205 <pgb205 at yahoo.com> 
Cc: freeipa-users at redhat.com
 Sent: Friday, June 10, 2016 12:14 AM
 Subject: Re: [Freeipa-users] Can't establish trust with 2008 AD
   
Please don't answer directly, use mailing list.

On Thu, 09 Jun 2016, pgb205 wrote:
>Alexander,
>
>As far as I can say ipv6 is enabled in the kernel, as the tutorial
>suggests, although none of the interfaces have ipv6 addresses.
>
>For example,
> ip a | grep inet6
>    inet6 ::1/128 scope host
>
>and
>ip -6 address show
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536
>    inet6 ::1/128 scope host
>
>root@:~# cat /proc/sys/net/ipv6/conf/all/disable_ipv6
>0
>root@:~# cat /proc/sys/net/ipv6/conf/default/disable_ipv6
>0
Does any of your DNS servers respond with IPv6 addresses for AD DCs?
glibc DNS resolver prefers IPv6 over IPv4 in the default configuration
and if that happens, without IPv6 routes it becomes unreachable.

You can control how DNS resolver works with /etc/gai.conf (does not
exist by default, see man page gai.conf for details) and can set IPv4
preference over IPv6 there, either globally or per host.

>
>
>      From: Alexander Bokovoy <abokovoy at redhat.com>
> To: pgb205 <pgb205 at yahoo.com>
>Cc: "Freeipa-users at redhat.com" <Freeipa-users at redhat.com>
> Sent: Thursday, June 9, 2016 4:30 PM
> Subject: Re: [Freeipa-users] Can't establish trust with 2008 AD
>
>On Thu, 09 Jun 2016, pgb205 wrote:
>>The setup is:AD 2008 domain,Latest version of FreeIpa with integrated
>>DNS,As the AD domain is not known to any DNS servers on the network I
>>have created a stub zone in Freeipa integrated dns server
>>addomain.com,and created A-record for DC.addomain.comas well as
>>_ldap.tcp.addomain.com and _kerberos.udp.addomain.comand checked with
>>dig that they resolve correctly, 138/139/145/389 are opened between the
>>servers on both tcp and udp portsipv6 enabled on the FreeIpa server. I
>>am using pre-shared secret to establish the trust
>>Run:ipa trust-add --type=ad addomain.com --trust-secret  <pre-shared key>
>>and receive:
>>ipa: ERROR: CIFS server communication error: code "None",                  message "NT_STATUS_IO_TIMEOUT" (both may be "None")
>>
>>I've enabled the logs as described in debugging section (I would be glad to forward the whole thing if needed)However, relevant error that I see is :
>>finddcs: DNS SRV response 0 at '<ipaddr>'finddcs: performing CLDAP
>>query on <ipaddr>s4_tevent: Added timed event "tevent_req_timedout":
>>0x7f21302a8b10s4_tevent: Schedule immediate event "tevent_req_trigger":
>>0x7f2130025090s4_tevent: Run immediate event "tevent_req_trigger":
>>0x7f2130025090s4_tevent: Added timed event "tevent_req_timedout":
>>0x7f213025cb90s4_tevent: Running timer event 0x7f213025cb90
>>"tevent_req_timedout"s4_tevent: Schedule immediate event
>>"tevent_req_trigger": 0x7f2130045b50s4_tevent: Ending timer event
>>0x7f213025cb90 "tevent_req_timedout"s4_tevent: Run immediate event
>>"tevent_req_trigger": 0x7f2130045b50s4_tevent: Added timed event
>>"tevent_req_timedout": 0x7f213025cb90s4_tevent: Running timer event
>>0x7f213025cb90 "tevent_req_timedout"s4_tevent: Schedule immediate event
>>"tevent_req_trigger": 0x7f213001d230s4_tevent: Ending timer event
>>0x7f213025cb90 "tevent_req_timedout"s4_tevent: Run immediate event
>>"tevent_req_trigger": 0x7f213001d230s4_tevent: Added timed event
>>"tevent_req_timedout": 0x7f213025cb90s4_tevent: Running timer event
>>0x7f21302a8b10 "tevent_req_timedout"s4_tevent: Destroying timer event
>>0x7f213025cb90 "tevent_req_timedout"finddcs: No matching CLDAP server
>>founds4_tevent: Ending timer event 0x7f21302a8b10
>>"tevent_req_timedout"[Thu Jun 09 20:39:38.703506 2016] [:error] [pid
>>2503] ipa: INFO: [jsonserver_session] admin@<ipadomain.com>:
>>trust_add(u'addomain.com', trust_type=u'ad', trust_secret=u'********',
>>all=False, raw=False, version=u'2.156'): RemoteRetrieveError Once again
>>I would be glad to provide entire logs if needed. But would be grateful
>>for suggestions on how to resolve the above error.
>Do you have IPv6 disabled?
>www.freeipa.org/page/Active_Directory_trust_setup#IPv6_stack_usage
>-- 
>/ Alexander Bokovoy
>
>
>

-- 
/ Alexander Bokovoy


  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160610/c96cac1d/attachment.htm>

More information about the Freeipa-users mailing list