[Freeipa-users] Can't establish a trust to AD

Alexander Bokovoy abokovoy at redhat.com
Thu Nov 24 17:30:06 UTC 2016 

On to, 24 marras 2016, Denis Müller wrote:
>Hello Guys, we need help to establish a trust from freeipa to ad. Ad
>users should be able to access to linux environment, but linux users
>not to ad environment.
>
>our setup:
>
>AD Domain:
>domain.com, there we have two AD-Controllers installed wird Windows
>Server 2008. All users are managed here.
>
>IPA Domain:
>wop.domain.com. We would like to sync users from ad to a specific group
>to provide user-management in linux environments. In this subdomain we
>have 2 ipa-servers: ipa01.wop.domain.com and ipa02.domain.com
>
>Ipa version on both servers is: VERSION: 4.2.0, API_VERSION: 2.156
>
>Both serves have "ipa-server-trust-ad" installed.
>
>[root at ipa01<mailto:root at ipa01> ~]# ipactl status
>Directory Service: RUNNING
>krb5kdc Service: RUNNING
>kadmin Service: RUNNING
>named Service: RUNNING
>ipa_memcached Service: RUNNING
>httpd Service: RUNNING
>pki-tomcatd Service: RUNNING
>smb Service: RUNNING
>winbind Service: RUNNING
>ipa-otpd Service: RUNNING
>ipa-dnskeysyncd Service: RUNNING
>ipa: INFO: The ipactl command was successful
>
>kinit admin works as expected !
>
>
>
>DNS konfiguration:
>IPA-Side:
>
>[root at ipa01<mailto:root at ipa01> ~]# dig +short -t SRV _kerberos._udp.wop.domain.com
>0 100 88 ipa02.wop.domain.com.
>0 100 88 ipa01.wop.domain.com.
>
>root at ipa01<mailto:root at ipa01> ~]# dig +short -t TXT _kerberos.wop.domain.com
>"WOP.DOMAIN.COM"
>
>[root at ipa01<mailto:root at ipa01> ~]# dig +short -t SRV _kerberos._udp.dc._msdcs.wop.domain.com.
>0 100 88 ipa02.wop.domain.com.
>0 100 88 ipa01.wop.domain.com.
>
>[root at ipa01<mailto:root at ipa01> ~]# dig +short -t SRV _kerberos._tcp.dc._msdcs.wop.domain.com.
>0 100 88 ipa01.wop.domain.com.
>0 100 88 ipa02.wop.domain.com.
>
>AD-Side:
>
>C:\Users\demueller>nslookup
>Standardserver:  dc2.domain.com
>Address:  192.168.3.9
>
>> set type=SRV
>> _kerberos._udp.wop.domain.com.
>Server:  dc2.domain.com
>Address:  192.168.3.9
>
>Nicht autorisierende Antwort:
>_kerberos._udp.wop.domain.com       SRV service location:
>          priority       = 0
>          weight         = 100
>          port           = 88
>          svr hostname   = ipa01.wop.domainc.om
>_kerberos._udp.wop.rto.de       SRV service location:
>          priority       = 0
>          weight         = 100
>          port           = 88
>          svr hostname   = ipa02.wop.domain.com
>
>ipa01.wop.domain.com        internet address = 192.168.11.75
>ipa02.wop.domainc.om        internet address = 192.168.11.106
>
>DNS looks fine, firewall too.
>
>Providing trust:ipa trust-add --type=ad rto.de --trust-secret --server=dc2.domain.com
>
>As a Result:
>
>[root at ipa01<mailto:root at ipa01> ~]# ipa trustdomain-find domain.com
>  Domain name: domain.com
>  Domain NetBIOS name: DOMAIN (It should be DC2, right?)
>  Domain Security Identifier: S-1-5-21-746137067-2052111302-1801674531
>  Domain enabled: True
>-------------------------------------
>
>
>ipa trust-fetch-domain domain.com
>
>Logging:
>
>[Thu Nov 24 13:43:44.167918 2016] [:error] [pid 9123] ipa: INFO: [jsonserver_session] admin at WOP.DOMAIN<file://admin@WOP.DOMAIN>.COM: ping(): SUCCESS
>[Thu Nov 24 13:43:44.306718 2016] [:error] [pid 9124] ipa: INFO: [jsonserver_session] admin at WOP.DOMAIN<file://admin@WOP.DOMAIN>.COM: trustdomain_find(u'domain.com', None, all=False, raw=False, version=u'2.156', pkey_only=False): SUCCESS
>[Thu Nov 24 13:45:16.662862 2016] [:error] [pid 9123] ipa: INFO: 401
>Unauthorized: Insufficient access: SASL(-1): generic failure: GSSAPI
>Error: Unspecified GSS failure.  Minor code may provide more
>information (Cannot contact any KDC for realm 'WOP.DOMAIN.COM)
>
>I can't understand the problem.
It looks like IPA master's Kerberos configuration does not allow to
resolve KDCs of unknown realms via DNS.

What do you have in /etc/krb5.conf in the [libdefaults] section:

  dns_lookup_realm = false
  dns_lookup_kdc = false

or

  dns_lookup_realm = true
  dns_lookup_kdc = true
?

See manual page for krb5.conf for details on these options.

>On AD side we create a trust certifiacte as explained hear:
>http://www.freeipa.org/page/Active_Directory_trust_setup
I'm not sure what do you mean by 'trust certificate', there is no such
thing and no such requirement.

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list