[Freeipa-users] add trust between FreeIPA and Samba AD DC

Tiemen Ruiten t.ruiten at rdmedia.com
Thu Apr 13 16:08:50 UTC 2017 

Of course:

FreeIPA versions:
[root at ipa-ams-01 samba]# rpm -qa | grep ipa
libipa_hbac-1.14.0-43.el7_3.14.x86_64
sssd-ipa-1.14.0-43.el7_3.14.x86_64
python2-ipaclient-4.4.0-14.el7.centos.7.noarch
ipa-server-trust-ad-4.4.0-14.el7.centos.7.x86_64
ipa-client-common-4.4.0-14.el7.centos.7.noarch
python-iniparse-0.4-9.el7.noarch
python-libipa_hbac-1.14.0-43.el7_3.14.x86_64
python2-ipalib-4.4.0-14.el7.centos.7.noarch
ipa-admintools-4.4.0-14.el7.centos.7.noarch
ipa-server-common-4.4.0-14.el7.centos.7.noarch
ipa-server-4.4.0-14.el7.centos.7.x86_64
ipa-server-dns-4.4.0-14.el7.centos.7.noarch
python-ipaddress-1.0.16-2.el7.noarch
ipa-client-4.4.0-14.el7.centos.7.x86_64
python2-ipaserver-4.4.0-14.el7.centos.7.noarch
ipa-common-4.4.0-14.el7.centos.7.noarch

Samba AD DC versions:
Also CentOS 7, Samba 4.6.2, built from source, configure with one option:
--with-systemd

FreeIPA controls i.rdmedia.com, prod.ams.i.rdmedia.com,
test.ams.i.rdmedia.com and prod.nyc.i.rdmedia.com.
AD controls only clients.i.rdmedia.com and forwards all other DNS queries
to ipa-ams-01.

Samba uses the BIND9_DLZ backend for DNS.

Regarding the commands run: After provisioning the AD domain, I followed
this <https://www.freeipa.org/page/Active_Directory_trust_setup> guide,
except I set up the global forwarder in /etc/named.conf manually.

I got the "ipa: ERROR an internal error has occurred" after running:

ipa trust-add --type=ad clients.i.rdmedia.com --admin Administrator
--password

On 13 April 2017 at 17:09, Alexander Bokovoy <abokovoy at redhat.com> wrote:

> On to, 13 huhti 2017, Tiemen Ruiten wrote:
>
>> Apologies, now with proper subject.
>>
>> On 13 April 2017 at 16:49, Tiemen Ruiten <t.ruiten at rdmedia.com> wrote:
>>
>> Hello!
>>>
>>> As I understand from this
>>> <https://www.redhat.com/archives/freeipa-users/2016-October/
>>> msg00147.html> thread,
>>>
>>> it should be possible to setup a trust between FreeIPA and Samba4. My AD
>>> domain is clients.i.rdmedia.com, it's a subdomain of my FreeIPA domain,
>>> i.rdmedia.com. Therefore I added a global forwarder on the Samba AD DC
>>> to
>>> one of the FreeIPA replica's and lookup of SRV records in both domains
>>> appears to work.
>>>
>>> However when I try to add the trust I get "ipa: ERROR an internal error
>>> has occurred". I ran the trust-add command with full debug logging as
>>> described on https://www.freeipa.org/page/Active_Directory_trust_setup#
>>> Debugging_trust, so I can provide these logs privately upon request.
>>>
>>> I suspect some DNS-issue, as right after I try to setup the trust,
>>> dynamic
>>> updates stop working on the AD Domain Controller with this error:
>>>
>>> tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor
>>> code may provide more information, Minor = Server DNS/fluorine.clients.i.
>>> rdmedia.com at I.RDMEDIA.COM not found in Kerberos database.
>>> Failed nsupdate: 1
>>> update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._
>>> sites.ForestDnsZones.clients.i.rdmedia.com
>>> fluorine.clients.i.rdmedia.com
>>> 389
>>> Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._
>>> sites.ForestDnsZones.clients.i.rdmedia.com
>>> fluorine.clients.i.rdmedia.com
>>> 389 (add)
>>> Outgoing update query:
>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>>> ;; UPDATE SECTION:
>>> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.
>>> clients.i.rdmedia.com. 900 IN SRV 0 100 389
>>> fluorine.clients.i.rdmedia.com
>>> .
>>>
>>> Many thanks in advance for your assistance.
>>>
>> It would help if you would provide more details on your setup. The above
> doesn't give a clue on:
> - what are FreeIPA and Samba AD DC versions
> - on what OS versions they run, correspondingly
> - what DNS zones each of them control
> - what commands did you run
>
> --
> / Alexander Bokovoy
>



-- 
Tiemen Ruiten
Systems Engineer
R&D Media
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170413/96d21019/attachment.htm>

More information about the Freeipa-users mailing list