[Freeipa-users] add trust between FreeIPA and Samba AD DC

Alexander Bokovoy abokovoy at redhat.com
Thu Apr 13 19:44:06 UTC 2017 

On Thu, 13 Apr 2017, Tiemen Ruiten wrote:
>Excerpt from the httpd error_log on the FreeIPA replica:
>
>[Thu Apr 13 11:17:44.072996 2017] [:error] [pid 28346] ipa: INFO:
>[jsonserver_kerb] admin at I.RDMEDIA.COM: ping(): SUCCESS
>[Thu Apr 13 11:17:50.708019 2017] [:error] [pid 28347] ipa: ERROR:
>non-public: RuntimeError: (-1073741811, 'Unexpected information received')
Please add 'log level = 10' to /usr/share/ipa/smb.conf.empty and re-try
'ipa trust-add', then send me resulting error_log privately.


>[Thu Apr 13 11:17:50.708121 2017] [:error] [pid 28347] Traceback (most
>recent call last):
>[Thu Apr 13 11:17:50.708132 2017] [:error] [pid 28347]   File
>"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 366, in
>wsgi_execute
>[Thu Apr 13 11:17:50.708140 2017] [:error] [pid 28347]     result =
>command(*args, **options)
>[Thu Apr 13 11:17:50.708147 2017] [:error] [pid 28347]   File
>"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 449, in __call__
>[Thu Apr 13 11:17:50.708154 2017] [:error] [pid 28347]     return
>self.__do_call(*args, **options)
>[Thu Apr 13 11:17:50.708161 2017] [:error] [pid 28347]   File
>"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 477, in
>__do_call
>[Thu Apr 13 11:17:50.708168 2017] [:error] [pid 28347]     ret =
>self.run(*args, **options)
>[Thu Apr 13 11:17:50.708213 2017] [:error] [pid 28347]   File
>"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 799, in run
>[Thu Apr 13 11:17:50.708223 2017] [:error] [pid 28347]     return
>self.execute(*args, **options)
>[Thu Apr 13 11:17:50.708229 2017] [:error] [pid 28347]   File
>"/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 739, in
>execute
>[Thu Apr 13 11:17:50.708237 2017] [:error] [pid 28347]     result =
>self.execute_ad(full_join, *keys, **options)
>[Thu Apr 13 11:17:50.708244 2017] [:error] [pid 28347]   File
>"/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 989, in
>execute_ad
>[Thu Apr 13 11:17:50.708258 2017] [:error] [pid 28347]     trust_type
>[Thu Apr 13 11:17:50.708265 2017] [:error] [pid 28347]   File
>"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1683, in
>join_ad_full_credentials
>[Thu Apr 13 11:17:50.708272 2017] [:error] [pid 28347]     trust_type,
>trust_external)
>[Thu Apr 13 11:17:50.708279 2017] [:error] [pid 28347]   File
>"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1363, in
>establish_trust
>[Thu Apr 13 11:17:50.708285 2017] [:error] [pid 28347]
>self.update_ftinfo(another_domain)
>[Thu Apr 13 11:17:50.708292 2017] [:error] [pid 28347]   File
>"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1252, in
>update_ftinfo
>[Thu Apr 13 11:17:50.708299 2017] [:error] [pid 28347]     ftinfo, 0)
>[Thu Apr 13 11:17:50.708305 2017] [:error] [pid 28347] RuntimeError:
>(-1073741811, 'Unexpected information received')
>[Thu Apr 13 11:17:50.709161 2017] [:error] [pid 28347] ipa: INFO:
>[jsonserver_kerb] admin at I.RDMEDIA.COM: trust_add/1(u'clients.i.rdmedia.com',
>trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********',
>version=u'2.213'): RuntimeError
>
>
>On 13 April 2017 at 18:08, Tiemen Ruiten <t.ruiten at rdmedia.com> wrote:
>
>> Of course:
>>
>> FreeIPA versions:
>> [root at ipa-ams-01 samba]# rpm -qa | grep ipa
>> libipa_hbac-1.14.0-43.el7_3.14.x86_64
>> sssd-ipa-1.14.0-43.el7_3.14.x86_64
>> python2-ipaclient-4.4.0-14.el7.centos.7.noarch
>> ipa-server-trust-ad-4.4.0-14.el7.centos.7.x86_64
>> ipa-client-common-4.4.0-14.el7.centos.7.noarch
>> python-iniparse-0.4-9.el7.noarch
>> python-libipa_hbac-1.14.0-43.el7_3.14.x86_64
>> python2-ipalib-4.4.0-14.el7.centos.7.noarch
>> ipa-admintools-4.4.0-14.el7.centos.7.noarch
>> ipa-server-common-4.4.0-14.el7.centos.7.noarch
>> ipa-server-4.4.0-14.el7.centos.7.x86_64
>> ipa-server-dns-4.4.0-14.el7.centos.7.noarch
>> python-ipaddress-1.0.16-2.el7.noarch
>> ipa-client-4.4.0-14.el7.centos.7.x86_64
>> python2-ipaserver-4.4.0-14.el7.centos.7.noarch
>> ipa-common-4.4.0-14.el7.centos.7.noarch
>>
>> Samba AD DC versions:
>> Also CentOS 7, Samba 4.6.2, built from source, configure with one option:
>> --with-systemd
>>
>> FreeIPA controls i.rdmedia.com, prod.ams.i.rdmedia.com,
>> test.ams.i.rdmedia.com and prod.nyc.i.rdmedia.com.
>> AD controls only clients.i.rdmedia.com and forwards all other DNS queries
>> to ipa-ams-01.
>>
>> Samba uses the BIND9_DLZ backend for DNS.
>>
>> Regarding the commands run: After provisioning the AD domain, I followed
>> this <https://www.freeipa.org/page/Active_Directory_trust_setup> guide,
>> except I set up the global forwarder in /etc/named.conf manually.
>>
>> I got the "ipa: ERROR an internal error has occurred" after running:
>>
>> ipa trust-add --type=ad clients.i.rdmedia.com --admin Administrator
>> --password
>>
>> On 13 April 2017 at 17:09, Alexander Bokovoy <abokovoy at redhat.com> wrote:
>>
>>> On to, 13 huhti 2017, Tiemen Ruiten wrote:
>>>
>>>> Apologies, now with proper subject.
>>>>
>>>> On 13 April 2017 at 16:49, Tiemen Ruiten <t.ruiten at rdmedia.com> wrote:
>>>>
>>>> Hello!
>>>>>
>>>>> As I understand from this
>>>>> <https://www.redhat.com/archives/freeipa-users/2016-October/
>>>>> msg00147.html> thread,
>>>>>
>>>>> it should be possible to setup a trust between FreeIPA and Samba4. My AD
>>>>> domain is clients.i.rdmedia.com, it's a subdomain of my FreeIPA domain,
>>>>> i.rdmedia.com. Therefore I added a global forwarder on the Samba AD DC
>>>>> to
>>>>> one of the FreeIPA replica's and lookup of SRV records in both domains
>>>>> appears to work.
>>>>>
>>>>> However when I try to add the trust I get "ipa: ERROR an internal error
>>>>> has occurred". I ran the trust-add command with full debug logging as
>>>>> described on https://www.freeipa.org/page/Active_Directory_trust_setup#
>>>>> Debugging_trust, so I can provide these logs privately upon request.
>>>>>
>>>>> I suspect some DNS-issue, as right after I try to setup the trust,
>>>>> dynamic
>>>>> updates stop working on the AD Domain Controller with this error:
>>>>>
>>>>> tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor
>>>>> code may provide more information, Minor = Server
>>>>> DNS/fluorine.clients.i.
>>>>> rdmedia.com at I.RDMEDIA.COM not found in Kerberos database.
>>>>> Failed nsupdate: 1
>>>>> update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._
>>>>> sites.ForestDnsZones.clients.i.rdmedia.com
>>>>> fluorine.clients.i.rdmedia.com
>>>>> 389
>>>>> Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._
>>>>> sites.ForestDnsZones.clients.i.rdmedia.com
>>>>> fluorine.clients.i.rdmedia.com
>>>>> 389 (add)
>>>>> Outgoing update query:
>>>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
>>>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>>>>> ;; UPDATE SECTION:
>>>>> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.
>>>>> clients.i.rdmedia.com. 900 IN SRV 0 100 389
>>>>> fluorine.clients.i.rdmedia.com
>>>>> .
>>>>>
>>>>> Many thanks in advance for your assistance.
>>>>>
>>>> It would help if you would provide more details on your setup. The above
>>> doesn't give a clue on:
>>> - what are FreeIPA and Samba AD DC versions
>>> - on what OS versions they run, correspondingly
>>> - what DNS zones each of them control
>>> - what commands did you run
>>>
>>> --
>>> / Alexander Bokovoy
>>>
>>
>>
>>
>> --
>> Tiemen Ruiten
>> Systems Engineer
>> R&D Media
>>
>
>
>
>-- 
>Tiemen Ruiten
>Systems Engineer
>R&D Media

>-- 
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project


-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list