[Freeipa-users] (no subject)

Fraser Tweedale ftweedal at redhat.com
Wed Apr 19 02:56:40 UTC 2017 

On Thu, Apr 13, 2017 at 04:49:59PM +0200, Tiemen Ruiten wrote:
> Hello!
> 
> As I understand from this
> <https://www.redhat.com/archives/freeipa-users/2016-October/msg00147.html>
> thread,
> it should be possible to setup a trust between FreeIPA and Samba4. My AD
> domain is clients.i.rdmedia.com, it's a subdomain of my FreeIPA domain,
> i.rdmedia.com. Therefore I added a global forwarder on the Samba AD DC to
> one of the FreeIPA replica's and lookup of SRV records in both domains
> appears to work.
> 
> However when I try to add the trust I get "ipa: ERROR an internal error has
> occurred". I ran the trust-add command with full debug logging as described
> on https://www.freeipa.org/page/Active_Directory_trust_setup#Debugging_trust,
> so I can provide these logs privately upon request.
> 
We do not yet support trusts to Samba 4 AD DC.  It is an open
ticket: https://pagure.io/freeipa/issue/4866

I do not think it is a priority at this time.  Alexander (Cc) could
possibly provide an update.

Thanks,
Fraser

> I suspect some DNS-issue, as right after I try to setup the trust, dynamic
> updates stop working on the AD Domain Controller with this error:
> 
> tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor
> code may provide more information, Minor = Server DNS/
> fluorine.clients.i.rdmedia.com at I.RDMEDIA.COM not found in Kerberos database.
> Failed nsupdate: 1
> update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._
> sites.ForestDnsZones.clients.i.rdmedia.com fluorine.clients.i.rdmedia.com
> 389
> Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._
> sites.ForestDnsZones.clients.i.rdmedia.com fluorine.clients.i.rdmedia.com
> 389 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.Default-First-Site-Name._
> sites.ForestDnsZones.clients.i.rdmedia.com. 900 IN SRV 0 100 389
> fluorine.clients.i.rdmedia.com.
> 
> Many thanks in advance for your assistance.
> 
> 
> -- 
> Tiemen Ruiten
> Systems Engineer
> R&D Media

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list