[Freeipa-users] add trust between FreeIPA and Samba AD DC
Tiemen Ruiten
t.ruiten at rdmedia.com
Fri Apr 28 10:09:18 UTC 2017
Hello,
I set up a fresh Windows Server 2012R2 instance, configured a new forest
named 'clients.rdmedia.com' and I'm getting the same error in the httpd
error_log after running 'ipa trust-add clients.rdmedia.com --type=ad
--admin=Administrator --password':
[Fri Apr 28 12:05:00.420174 2017] [:error] [pid 26417] ipa: ERROR:
non-public: RuntimeError: (-1073741811, 'Unexpected information received')
[Fri Apr 28 12:05:00.420225 2017] [:error] [pid 26417] Traceback (most
recent call last):
[Fri Apr 28 12:05:00.420230 2017] [:error] [pid 26417] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 366, in
wsgi_execute
[Fri Apr 28 12:05:00.420235 2017] [:error] [pid 26417] result =
command(*args, **options)
[Fri Apr 28 12:05:00.420239 2017] [:error] [pid 26417] File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 449, in __call__
[Fri Apr 28 12:05:00.420243 2017] [:error] [pid 26417] return
self.__do_call(*args, **options)
[Fri Apr 28 12:05:00.420247 2017] [:error] [pid 26417] File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 477, in
__do_call
[Fri Apr 28 12:05:00.420251 2017] [:error] [pid 26417] ret =
self.run(*args, **options)
[Fri Apr 28 12:05:00.420255 2017] [:error] [pid 26417] File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 799, in run
[Fri Apr 28 12:05:00.420258 2017] [:error] [pid 26417] return
self.execute(*args, **options)
[Fri Apr 28 12:05:00.420262 2017] [:error] [pid 26417] File
"/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 739, in
execute
[Fri Apr 28 12:05:00.420267 2017] [:error] [pid 26417] result =
self.execute_ad(full_join, *keys, **options)
[Fri Apr 28 12:05:00.420297 2017] [:error] [pid 26417] File
"/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 989, in
execute_ad
[Fri Apr 28 12:05:00.420304 2017] [:error] [pid 26417] trust_type
[Fri Apr 28 12:05:00.420308 2017] [:error] [pid 26417] File
"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1683, in
join_ad_full_credentials
[Fri Apr 28 12:05:00.420312 2017] [:error] [pid 26417] trust_type,
trust_external)
[Fri Apr 28 12:05:00.420316 2017] [:error] [pid 26417] File
"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1363, in
establish_trust
[Fri Apr 28 12:05:00.420320 2017] [:error] [pid 26417]
self.update_ftinfo(another_domain)
[Fri Apr 28 12:05:00.420324 2017] [:error] [pid 26417] File
"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1252, in
update_ftinfo
[Fri Apr 28 12:05:00.420328 2017] [:error] [pid 26417] ftinfo, 0)
[Fri Apr 28 12:05:00.420331 2017] [:error] [pid 26417] RuntimeError:
(-1073741811, 'Unexpected information received')
[Fri Apr 28 12:05:00.420975 2017] [:error] [pid 26417] ipa: INFO:
[jsonserver_session] admin at I.RDMEDIA.COM: trust_add/1(u'clients.rdmedia.com',
trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********',
version=u'2.213'): RuntimeError
Am I doing something wrong? Logs are ofcourse available privately on
request.
On 14 April 2017 at 15:13, Alexander Bokovoy <abokovoy at redhat.com> wrote:
> On pe, 14 huhti 2017, Tiemen Ruiten wrote:
>
>> Yes, office.rdmedia.com is the Samba AD domain.
>>
>> [root at fluorine samba]# samba-tool domain trust list
>> Type[Forest] Transitive[Yes] Direction[INCOMING] Name[i.rdmedia.com]
>> [root at fluorine samba]# samba-tool domain trust show i.rdmedia.com
>> LocalDomain Netbios[OFFICE] DNS[office.rdmedia.com]
>> SID[S-1-5-21-482924559-3201240232-3198541477]
>> TrusteDomain:
>>
>> NetbiosName: IPA
>> DnsName: i.rdmedia.com
>> SID: S-1-5-21-3716778977-2487905546-4034507762
>> Type: 0x2 (UPLEVEL)
>> Direction: 0x1 (INBOUND)
>> Attributes: 0x8 (FOREST_TRANSITIVE)
>> PosixOffset: 0x00000000 (0)
>> kerb_EncTypes: 0x1c
>> (RC4_HMAC_MD5,AES128_CTS_HMAC_SHA1_96,AES256_CTS_HMAC_SHA1_96)
>> Namespaces[0] TDO[i.rdmedia.com]:
>>
> Ok, thanks. I'll look into this part of Samba code later, after Easter.
>
>
>
>>
>> On 14 April 2017 at 14:07, Alexander Bokovoy <abokovoy at redhat.com> wrote:
>>
>> On pe, 14 huhti 2017, Tiemen Ruiten wrote:
>>>
>>> Hello Alexander,
>>>>
>>>> That's strange, when I try to setup a trust with a domain that isn't a
>>>> subdomain of FreeIPA, I get the same error. I reran:
>>>>
>>>> ipa-adtrust-install --netbios-name=IPA
>>>>
>>>> and then ran:
>>>>
>>>> ipa trust-add --type=ad office.rdmedia.com --admin Administrator
>>>> --password
>>>>
>>>> office.rdmedia.com is Samba AD?
>>>
>>> Then please show output of
>>>
>>> samba-tool domain trust list
>>>
>>> and for each domain name in the output above show
>>>
>>> samba-tool domain trust show <name>
>>>
>>>
>>>
>>>
>>>
>>> Last bit of the error_log:
>>>>
>>>> rpc reply data:
>>>> [0000] 00 00 00 00 ....
>>>> lsa_lsaRSetForestTrustInformation: struct
>>>> lsa_lsaRSetForestTrustInformation
>>>> in: struct lsa_lsaRSetForestTrustInformation
>>>> handle : *
>>>> handle: struct policy_handle
>>>> handle_type : 0x00000000 (0)
>>>> uuid :
>>>> 43cfa5e6-c10a-49a5-9b75-f7284ee44aac
>>>> trusted_domain_name : *
>>>> trusted_domain_name: struct lsa_StringLarge
>>>> length : 0x001a (26)
>>>> size : 0x001c (28)
>>>> string : *
>>>> string : 'i.rdmedia.com'
>>>> highest_record_type : LSA_FOREST_TRUST_DOMAIN_INFO (2)
>>>> forest_trust_info : *
>>>> forest_trust_info: struct lsa_ForestTrustInformation
>>>> count : 0x00000004 (4)
>>>> entries : *
>>>> entries: ARRAY(4)
>>>> entries : *
>>>> entries: struct lsa_ForestTrustRecord
>>>> flags : 0x00000000
>>>> (0)
>>>> 0: LSA_TLN_DISABLED_NEW
>>>> 0: LSA_TLN_DISABLED_ADMIN
>>>> 0: LSA_TLN_DISABLED_CONFLICT
>>>> 0: LSA_SID_DISABLED_ADMIN
>>>> 0: LSA_SID_DISABLED_CONFLICT
>>>> 0: LSA_NB_DISABLED_ADMIN
>>>> 0: LSA_NB_DISABLED_CONFLICT
>>>> type :
>>>> LSA_FOREST_TRUST_TOP_LEVEL_NAME (0)
>>>> time : Mon Apr 10
>>>> 08:43:18 2017 CEST
>>>> forest_trust_data : union
>>>> lsa_ForestTrustData(case 0)
>>>> top_level_name: struct
>>>> lsa_StringLarge
>>>> length : 0x002c
>>>> (44)
>>>> size : 0x002e
>>>> (46)
>>>> string : *
>>>> string : '
>>>> test.ams.i.rdmedia.com'
>>>> entries : *
>>>> entries: struct lsa_ForestTrustRecord
>>>> flags : 0x00000000
>>>> (0)
>>>> 0: LSA_TLN_DISABLED_NEW
>>>> 0: LSA_TLN_DISABLED_ADMIN
>>>> 0: LSA_TLN_DISABLED_CONFLICT
>>>> 0: LSA_SID_DISABLED_ADMIN
>>>> 0: LSA_SID_DISABLED_CONFLICT
>>>> 0: LSA_NB_DISABLED_ADMIN
>>>> 0: LSA_NB_DISABLED_CONFLICT
>>>> type :
>>>> LSA_FOREST_TRUST_TOP_LEVEL_NAME (0)
>>>> time : Mon Apr 10
>>>> 08:43:18 2017 CEST
>>>> forest_trust_data : union
>>>> lsa_ForestTrustData(case 0)
>>>> top_level_name: struct
>>>> lsa_StringLarge
>>>> length : 0x002c
>>>> (44)
>>>> size : 0x002e
>>>> (46)
>>>> string : *
>>>> string : '
>>>> prod.ams.i.rdmedia.com'
>>>> entries : *
>>>> entries: struct lsa_ForestTrustRecord
>>>> flags : 0x00000000
>>>> (0)
>>>> 0: LSA_TLN_DISABLED_NEW
>>>> 0: LSA_TLN_DISABLED_ADMIN
>>>> 0: LSA_TLN_DISABLED_CONFLICT
>>>> 0: LSA_SID_DISABLED_ADMIN
>>>> 0: LSA_SID_DISABLED_CONFLICT
>>>> 0: LSA_NB_DISABLED_ADMIN
>>>> 0: LSA_NB_DISABLED_CONFLICT
>>>> type :
>>>> LSA_FOREST_TRUST_TOP_LEVEL_NAME (0)
>>>> time : Mon Apr 10
>>>> 08:43:18 2017 CEST
>>>> forest_trust_data : union
>>>> lsa_ForestTrustData(case 0)
>>>> top_level_name: struct
>>>> lsa_StringLarge
>>>> length : 0x001a
>>>> (26)
>>>> size : 0x001c
>>>> (28)
>>>> string : *
>>>> string : '
>>>> i.rdmedia.com'
>>>> entries : *
>>>> entries: struct lsa_ForestTrustRecord
>>>> flags : 0x00000000
>>>> (0)
>>>> 0: LSA_TLN_DISABLED_NEW
>>>> 0: LSA_TLN_DISABLED_ADMIN
>>>> 0: LSA_TLN_DISABLED_CONFLICT
>>>> 0: LSA_SID_DISABLED_ADMIN
>>>> 0: LSA_SID_DISABLED_CONFLICT
>>>> 0: LSA_NB_DISABLED_ADMIN
>>>> 0: LSA_NB_DISABLED_CONFLICT
>>>> type :
>>>> LSA_FOREST_TRUST_TOP_LEVEL_NAME (0)
>>>> time : Mon Apr 10
>>>> 08:43:18 2017 CEST
>>>> forest_trust_data : union
>>>> lsa_ForestTrustData(case 0)
>>>> top_level_name: struct
>>>> lsa_StringLarge
>>>> length : 0x002c
>>>> (44)
>>>> size : 0x002e
>>>> (46)
>>>> string : *
>>>> string : '
>>>> prod.nyc.i.rdmedia.com'
>>>> check_only : 0x00 (0)
>>>> rpc request data:
>>>> [0000] 00 00 00 00 E6 A5 CF 43 0A C1 A5 49 9B 75 F7 28 .......C
>>>> ...I.u.(
>>>> [0010] 4E E4 4A AC 1A 00 1C 00 00 00 02 00 0E 00 00 00 N.J.....
>>>> ........
>>>> [0020] 00 00 00 00 0D 00 00 00 69 00 2E 00 72 00 64 00 ........
>>>> i...r.d.
>>>> [0030] 6D 00 65 00 64 00 69 00 61 00 2E 00 63 00 6F 00 m.e.d.i.
>>>> a...c.o.
>>>> [0040] 6D 00 02 00 04 00 00 00 04 00 02 00 04 00 00 00 m.......
>>>> ........
>>>> [0050] 08 00 02 00 0C 00 02 00 10 00 02 00 14 00 02 00 ........
>>>> ........
>>>> [0060] 00 00 00 00 00 00 00 00 00 C7 B7 BC C5 B1 D2 01 ........
>>>> ........
>>>> [0070] 00 00 00 00 2C 00 2E 00 18 00 02 00 17 00 00 00 ....,...
>>>> ........
>>>> [0080] 00 00 00 00 16 00 00 00 74 00 65 00 73 00 74 00 ........
>>>> t.e.s.t.
>>>> [0090] 2E 00 61 00 6D 00 73 00 2E 00 69 00 2E 00 72 00 ..a.m.s.
>>>> ..i...r.
>>>> [00A0] 64 00 6D 00 65 00 64 00 69 00 61 00 2E 00 63 00 d.m.e.d.
>>>> i.a...c.
>>>> [00B0] 6F 00 6D 00 00 00 00 00 00 00 00 00 00 00 00 00 o.m.....
>>>> ........
>>>> [00C0] 00 C7 B7 BC C5 B1 D2 01 00 00 00 00 2C 00 2E 00 ........
>>>> ....,...
>>>> [00D0] 1C 00 02 00 17 00 00 00 00 00 00 00 16 00 00 00 ........
>>>> ........
>>>> [00E0] 70 00 72 00 6F 00 64 00 2E 00 61 00 6D 00 73 00 p.r.o.d.
>>>> ..a.m.s.
>>>> [00F0] 2E 00 69 00 2E 00 72 00 64 00 6D 00 65 00 64 00 ..i...r.
>>>> d.m.e.d.
>>>> [0100] 69 00 61 00 2E 00 63 00 6F 00 6D 00 00 00 00 00 i.a...c.
>>>> o.m.....
>>>> [0110] 00 00 00 00 00 00 00 00 00 C7 B7 BC C5 B1 D2 01 ........
>>>> ........
>>>> [0120] 00 00 00 00 1A 00 1C 00 20 00 02 00 0E 00 00 00 ........
>>>> .......
>>>> [0130] 00 00 00 00 0D 00 00 00 69 00 2E 00 72 00 64 00 ........
>>>> i...r.d.
>>>> [0140] 6D 00 65 00 64 00 69 00 61 00 2E 00 63 00 6F 00 m.e.d.i.
>>>> a...c.o.
>>>> [0150] 6D 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 m.......
>>>> ........
>>>> [0160] 00 C7 B7 BC C5 B1 D2 01 00 00 00 00 2C 00 2E 00 ........
>>>> ....,...
>>>> [0170] 24 00 02 00 17 00 00 00 00 00 00 00 16 00 00 00 $.......
>>>> ........
>>>> [0180] 70 00 72 00 6F 00 64 00 2E 00 6E 00 79 00 63 00 p.r.o.d.
>>>> ..n.y.c.
>>>> [0190] 2E 00 69 00 2E 00 72 00 64 00 6D 00 65 00 64 00 ..i...r.
>>>> d.m.e.d.
>>>> [01A0] 69 00 61 00 2E 00 63 00 6F 00 6D 00 00 i.a...c.
>>>> o.m..
>>>> signed SMB2 message
>>>> lsa_lsaRSetForestTrustInformation: struct
>>>> lsa_lsaRSetForestTrustInformation
>>>> out: struct lsa_lsaRSetForestTrustInformation
>>>> collision_info : *
>>>> collision_info : NULL
>>>> result : NT_STATUS_INVALID_PARAMETER
>>>> rpc reply data:
>>>> [0000] 00 00 00 00 0D 00 00 C0 ........
>>>> [Fri Apr 14 13:05:15.626311 2017] [:error] [pid 22596] ipa: ERROR:
>>>> non-public: RuntimeError: (-1073741811, 'Unexpected information
>>>> received')
>>>> [Fri Apr 14 13:05:15.626384 2017] [:error] [pid 22596] Traceback (most
>>>> recent call last):
>>>> [Fri Apr 14 13:05:15.626392 2017] [:error] [pid 22596] File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 366, in
>>>> wsgi_execute
>>>> [Fri Apr 14 13:05:15.626399 2017] [:error] [pid 22596] result =
>>>> command(*args, **options)
>>>> [Fri Apr 14 13:05:15.626405 2017] [:error] [pid 22596] File
>>>> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 449, in
>>>> __call__
>>>> [Fri Apr 14 13:05:15.626416 2017] [:error] [pid 22596] return
>>>> self.__do_call(*args, **options)
>>>> [Fri Apr 14 13:05:15.626422 2017] [:error] [pid 22596] File
>>>> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 477, in
>>>> __do_call
>>>> [Fri Apr 14 13:05:15.626428 2017] [:error] [pid 22596] ret =
>>>> self.run(*args, **options)
>>>> [Fri Apr 14 13:05:15.626434 2017] [:error] [pid 22596] File
>>>> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 799, in run
>>>> [Fri Apr 14 13:05:15.626439 2017] [:error] [pid 22596] return
>>>> self.execute(*args, **options)
>>>> [Fri Apr 14 13:05:15.626445 2017] [:error] [pid 22596] File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line
>>>> 739,
>>>> in
>>>> execute
>>>> [Fri Apr 14 13:05:15.626451 2017] [:error] [pid 22596] result =
>>>> self.execute_ad(full_join, *keys, **options)
>>>> [Fri Apr 14 13:05:15.626457 2017] [:error] [pid 22596] File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line
>>>> 989,
>>>> in
>>>> execute_ad
>>>> [Fri Apr 14 13:05:15.626463 2017] [:error] [pid 22596] trust_type
>>>> [Fri Apr 14 13:05:15.626468 2017] [:error] [pid 22596] File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1683, in
>>>> join_ad_full_credentials
>>>> [Fri Apr 14 13:05:15.626474 2017] [:error] [pid 22596] trust_type,
>>>> trust_external)
>>>> [Fri Apr 14 13:05:15.626479 2017] [:error] [pid 22596] File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1363, in
>>>> establish_trust
>>>> [Fri Apr 14 13:05:15.626485 2017] [:error] [pid 22596]
>>>> self.update_ftinfo(another_domain)
>>>> [Fri Apr 14 13:05:15.626490 2017] [:error] [pid 22596] File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1252, in
>>>> update_ftinfo
>>>> [Fri Apr 14 13:05:15.626495 2017] [:error] [pid 22596] ftinfo, 0)
>>>> [Fri Apr 14 13:05:15.626500 2017] [:error] [pid 22596] RuntimeError:
>>>> (-1073741811, 'Unexpected information received')
>>>> [Fri Apr 14 13:05:15.627265 2017] [:error] [pid 22596] ipa: INFO:
>>>> [jsonserver_session] admin at I.RDMEDIA.COM:
>>>> trust_add/1(u'office.rdmedia.c
>>>> om',
>>>> trust_type=u'ad', realm_admin=u'Administrator',
>>>> realm_passwd=u'********',
>>>> version=u'2.213'): RuntimeError
>>>>
>>>>
>>>>
>>>> On 14 April 2017 at 10:23, Alexander Bokovoy <abokovoy at redhat.com>
>>>> wrote:
>>>>
>>>> On to, 13 huhti 2017, Alexander Bokovoy wrote:
>>>>
>>>>>
>>>>> On Thu, 13 Apr 2017, Tiemen Ruiten wrote:
>>>>>
>>>>>>
>>>>>> Excerpt from the httpd error_log on the FreeIPA replica:
>>>>>>
>>>>>>>
>>>>>>> [Thu Apr 13 11:17:44.072996 2017] [:error] [pid 28346] ipa: INFO:
>>>>>>> [jsonserver_kerb] admin at I.RDMEDIA.COM: ping(): SUCCESS
>>>>>>> [Thu Apr 13 11:17:50.708019 2017] [:error] [pid 28347] ipa: ERROR:
>>>>>>> non-public: RuntimeError: (-1073741811, 'Unexpected information
>>>>>>> received')
>>>>>>>
>>>>>>> Please add 'log level = 10' to /usr/share/ipa/smb.conf.empty and
>>>>>>> re-try
>>>>>>>
>>>>>> 'ipa trust-add', then send me resulting error_log privately.
>>>>>>
>>>>>> To get back to the public mailing list, Tiemen sent me logs and I
>>>>>>
>>>>> confirm that this is the same as https://bugzilla.redhat.com/sh
>>>>> ow_bug.cgi?id=1421869
>>>>>
>>>>> We currently have no solution to this problem (AD is subdomain of IPA
>>>>> domain).
>>>>>
>>>>> --
>>>>> / Alexander Bokovoy
>>>>>
>>>>>
>>>>>
>>>>
>>>> --
>>>> Tiemen Ruiten
>>>> Systems Engineer
>>>> R&D Media
>>>>
>>>>
>>> --
>>> / Alexander Bokovoy
>>>
>>>
>>
>>
>> --
>> Tiemen Ruiten
>> Systems Engineer
>> R&D Media
>>
>
> --
> / Alexander Bokovoy
>
--
Tiemen Ruiten
Systems Engineer
R&D Media
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170428/74a6b172/attachment.htm>
More information about the Freeipa-users
mailing list