[Freeipa-users] Any good CLI methods for testing connectivity from IPA replica to remote AD servers?
Jakub Hrozek
jhrozek at redhat.com
Mon Jan 2 08:26:57 UTC 2017
On Wed, Dec 28, 2016 at 08:52:41AM -0500, Chris Dagdigian wrote:
>
> Hi folks,
>
> I may have network blocks between one of my IPA replicas and the *many*
> remote AD servers that need to be queried but I can only see evidence of
> this in the authentication failures and the debug level logging.
>
> Not sure how to test from the command line to verify connectivity or narrow
> down which ports may be getting blocked.
>
> Are there any common CLI techniques, ldaps:// search queries or other
> commands that could be run from an IPA replica to confirm basic
> communication with a remote AD controller?
1) kinit with the trust keytab. The exact principals depend on your IPA
and Windows realm names, in my test setup it is:
# ls /var/lib/sss/keytabs/
win.trust.test.keytab
#kinit -kt /var/lib/sss/keytabs/win.trust.test.keytab 'IPA$@WIN.TRUST.TEST'
(the principal is taken from the keytab, see klist -k
/var/lib/sss/keytabs/win.trust.test.keytab)
2) search the DC
#ldapsearch -Y GSSAPI -H ldap://dc.win.trust.test -b dc=win,dc=trust,dc=test -s base
btw at the moment it is not possible to set custom DCs to talk to. This
feature will come in the next version (sssd-1-15).
More information about the Freeipa-users
mailing list