[Freeipa-users] add trust between FreeIPA and Samba AD DC
Alexander Bokovoy
abokovoy at redhat.com
Thu Apr 13 15:09:52 UTC 2017
On to, 13 huhti 2017, Tiemen Ruiten wrote:
>Apologies, now with proper subject.
>
>On 13 April 2017 at 16:49, Tiemen Ruiten <t.ruiten at rdmedia.com> wrote:
>
>> Hello!
>>
>> As I understand from this
>> <https://www.redhat.com/archives/freeipa-users/2016-October/msg00147.html> thread,
>> it should be possible to setup a trust between FreeIPA and Samba4. My AD
>> domain is clients.i.rdmedia.com, it's a subdomain of my FreeIPA domain,
>> i.rdmedia.com. Therefore I added a global forwarder on the Samba AD DC to
>> one of the FreeIPA replica's and lookup of SRV records in both domains
>> appears to work.
>>
>> However when I try to add the trust I get "ipa: ERROR an internal error
>> has occurred". I ran the trust-add command with full debug logging as
>> described on https://www.freeipa.org/page/Active_Directory_trust_setup#
>> Debugging_trust, so I can provide these logs privately upon request.
>>
>> I suspect some DNS-issue, as right after I try to setup the trust, dynamic
>> updates stop working on the AD Domain Controller with this error:
>>
>> tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor
>> code may provide more information, Minor = Server DNS/fluorine.clients.i.
>> rdmedia.com at I.RDMEDIA.COM not found in Kerberos database.
>> Failed nsupdate: 1
>> update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._
>> sites.ForestDnsZones.clients.i.rdmedia.com fluorine.clients.i.rdmedia.com
>> 389
>> Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._
>> sites.ForestDnsZones.clients.i.rdmedia.com fluorine.clients.i.rdmedia.com
>> 389 (add)
>> Outgoing update query:
>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>> ;; UPDATE SECTION:
>> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.
>> clients.i.rdmedia.com. 900 IN SRV 0 100 389 fluorine.clients.i.rdmedia.com
>> .
>>
>> Many thanks in advance for your assistance.
It would help if you would provide more details on your setup. The above
doesn't give a clue on:
- what are FreeIPA and Samba AD DC versions
- on what OS versions they run, correspondingly
- what DNS zones each of them control
- what commands did you run
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list