<div dir="ltr"><div class="gmail_signature"><div dir="ltr"><div>I've been working on an AD trust with our freeipa servers but have run into some of the same issues others have had. </div><div>It's well documented here however I feel I've mitigated these - </div><div><a href="https://bugzilla.redhat.com/show_bug.cgi?id=1219832">https://bugzilla.redhat.com/show_bug.cgi?id=1219832</a><br></div><div><br></div><div>Freeipa Servers are Fedora 22 / freeipa-server-4.2.0</div><div>The Samba version i'm on is well past the patched version. It seems the patch is in samba-4.2.1-7.fc22 and I'm on samba-4.2.3-0 (assuming the patch is in this version). </div><div><br></div><div>I run </div><div><div># echo Password123 | ipa trust-add --type=ad <a href="http://ad.example.com">ad.example.com</a> --trust-secret</div><div>ipa: ERROR: CIFS server configuration does not allow access to \\pipe\lsarpc</div></div><div><br></div><div>I've been using "<a href="http://www.freeipa.org/page/Active_Directory_trust_setup">http://www.freeipa.org/page/Active_Directory_trust_setup</a>" as a guide.</div><div><br></div><div>Our only domains are </div><div>- <a href="http://EXAMPLE.COM">EXAMPLE.COM</a> (web pages only)</div><div>--- <a href="http://LX.EXAMPLE.COM">LX.EXAMPLE.COM</a> ( IPA )</div><div>--- <a href="http://AD.EXAMPLE.COM">AD.EXAMPLE.COM</a> ( Active Directory )</div><div><br></div><div>My configuration is on separate domains. <a href="http://AD.EXAMPLE.COM">AD.EXAMPLE.COM</a> is for Active Directory and forwards all DNS to IPA ( <a href="http://LX.EXAMPLE.COM">LX.EXAMPLE.COM</a> ) and those network requests then forward to the internet. </div><div><br></div><div>Our AD is only to provide GPOs to desktops, everything else is run off IPA. </div><div>I've run through the 'ipa-adtrust-install' but to no avail; after running through that is when I get the CIFS error. </div><div><br></div><div>I've made the network guys prove to me the ports are open. I've actually seen a permit any any on the network gear, dropped the firewalls on AD and IPA and moved to permissive mode for testing. All of this to just check off the troubleshooting boxes. </div><div><br></div><div>NTP is good, everyone is pointed to the internal and are UTC. </div><div><br></div><div>I'm sure I've forgotten something, thanks to everyone for reading this. Really appreciate it. </div><div><br></div><div>My versions are listed below - </div><div><div>freeipa-admintools-4.2.0-0.fc22.x86_64</div><div>freeipa-client-4.2.0-0.fc22.x86_64</div><div>freeipa-python-4.2.0-0.fc22.x86_64</div><div>freeipa-server-4.2.0-0.fc22.x86_64</div><div>freeipa-server-trust-ad-4.2.0-0.fc22.x86_64</div><div>samba-4.2.3-0.fc22.x86_64</div><div>samba-client-4.2.3-0.fc22.x86_64</div><div>samba-client-libs-4.2.3-0.fc22.x86_64</div><div>samba-common-4.2.3-0.fc22.noarch</div><div>samba-common-libs-4.2.3-0.fc22.x86_64</div><div>samba-common-tools-4.2.3-0.fc22.x86_64</div><div>samba-dc-4.2.3-0.fc22.x86_64</div><div>samba-dc-libs-4.2.3-0.fc22.x86_64</div><div>samba-libs-4.2.3-0.fc22.x86_64</div><div>samba-python-4.2.3-0.fc22.x86_64</div><div>samba-winbind-4.2.3-0.fc22.x86_64</div><div>samba-winbind-clients-4.2.3-0.fc22.x86_64</div><div>samba-winbind-modules-4.2.3-0.fc22.x86_64</div></div><div><br></div><div><br></div><div><br></div><div><div>[root@server1 /]# systemctl status smb</div><div>● smb.service - Samba SMB Daemon</div><div> Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled; vendor preset: disabled)</div><div> Active: active (running) since Fri 2015-09-11 14:43:50 UTC; 23min ago</div><div> Main PID: 31581 (smbd)</div><div> Status: "smbd: ready to serve connections..."</div><div> CGroup: /system.slice/smb.service</div><div> └─31581 /usr/sbin/smbd</div><div><br></div><div>Sep 11 14:49:40 <a href="http://server1.lx.example.com">server1.lx.example.com</a> smbd[32207]: GSSAPI client step 1</div><div>Sep 11 14:49:40 <a href="http://server1.lx.example.com">server1.lx.example.com</a> smbd[32207]: GSSAPI client step 2</div><div>Sep 11 14:50:03 <a href="http://server1.lx.example.com">server1.lx.example.com</a> smbd[32235]: GSSAPI client step 1</div><div>Sep 11 14:50:03 <a href="http://server1.lx.example.com">server1.lx.example.com</a> smbd[32235]: GSSAPI client step 1</div><div>Sep 11 14:50:03 <a href="http://server1.lx.example.com">server1.lx.example.com</a> smbd[32235]: GSSAPI client step 1</div><div>Sep 11 14:50:03 <a href="http://server1.lx.example.com">server1.lx.example.com</a> smbd[32235]: GSSAPI client step 2</div><div>Sep 11 14:54:46 <a href="http://server1.lx.example.com">server1.lx.example.com</a> smbd[32276]: GSSAPI client step 1</div><div>Sep 11 14:54:46 <a href="http://server1.lx.example.com">server1.lx.example.com</a> smbd[32276]: GSSAPI client step 1</div><div>Sep 11 14:54:46 <a href="http://server1.lx.example.com">server1.lx.example.com</a> smbd[32276]: GSSAPI client step 1</div><div>Sep 11 14:54:46 <a href="http://server1.lx.example.com">server1.lx.example.com</a> smbd[32276]: GSSAPI client step 2</div><div>[root@server1 /]# systemctl status nmb</div><div>● nmb.service - Samba NMB Daemon</div><div> Loaded: loaded (/usr/lib/systemd/system/nmb.service; disabled; vendor preset: disabled)</div><div> Active: active (running) since Fri 2015-09-11 14:49:56 UTC; 17min ago</div><div> Main PID: 32220 (nmbd)</div><div> Status: "nmbd: ready to serve connections..."</div><div> CGroup: /system.slice/nmb.service</div><div> └─32220 /usr/sbin/nmbd</div><div><br></div><div>Sep 11 14:50:04 <a href="http://server1.lx.example.com">server1.lx.example.com</a> nmbd[32220]: </div><div>Sep 11 14:50:04 <a href="http://server1.lx.example.com">server1.lx.example.com</a> nmbd[32220]: Samba server LAS01003007 is now a domain master browser for workgroup AXIEXAMPLE on subnet 192.168.1.10</div><div>Sep 11 14:50:04 <a href="http://server1.lx.example.com">server1.lx.example.com</a> nmbd[32220]: </div><div>Sep 11 14:50:04 <a href="http://server1.lx.example.com">server1.lx.example.com</a> nmbd[32220]: *****</div><div>Sep 11 14:50:19 <a href="http://server1.lx.example.com">server1.lx.example.com</a> nmbd[32220]: [2015/09/11 14:50:19.307616, 0] ../source3/nmbd/nmbd_become_lmb.c:397(become_local_master_stage2)</div><div>Sep 11 14:50:19 <a href="http://server1.lx.example.com">server1.lx.example.com</a> nmbd[32220]: *****</div><div>Sep 11 14:50:19 <a href="http://server1.lx.example.com">server1.lx.example.com</a> nmbd[32220]: </div><div>Sep 11 14:50:19 <a href="http://server1.lx.example.com">server1.lx.example.com</a> nmbd[32220]: Samba name server LAS01003007 is now a local master browser for workgroup AXIMOSAIC451 on subnet 10.100.50.37</div><div>Sep 11 14:50:19 <a href="http://server1.lx.example.com">server1.lx.example.com</a> nmbd[32220]: </div><div>Sep 11 14:50:19 <a href="http://server1.lx.example.com">server1.lx.example.com</a> nmbd[32220]: *****</div><div>[root@server1 /]# ipactl status</div><div><div>Directory Service: RUNNING</div><div>krb5kdc Service: RUNNING</div><div>kadmin Service: RUNNING</div><div>named Service: RUNNING</div><div>ipa_memcached Service: RUNNING</div><div>httpd Service: RUNNING</div><div>pki-tomcatd Service: RUNNING</div><div>smb Service: RUNNING</div><div>winbind Service: RUNNING</div><div>ipa-otpd Service: RUNNING</div><div>ipa-dnskeysyncd Service: RUNNING</div><div>ipa: INFO: The ipactl command was successful</div></div><div><div>[root@server1 ~]# ss -tnl</div><div>State Recv-Q Send-Q Local Address:Port Peer Address:Port </div><div>LISTEN 0 50 *:139 *:* </div><div>LISTEN 0 2 *:749 *:* </div><div>LISTEN 0 100 *:8080 *:* </div><div>LISTEN 0 5 *:464 *:* </div><div>LISTEN 0 128 *:80 *:* </div><div>LISTEN 0 10 <a href="http://192.168.1.10:53">192.168.1.10:53</a> *:* </div><div>LISTEN 0 10 <a href="http://127.0.0.1:53">127.0.0.1:53</a> *:* </div><div>LISTEN 0 128 *:22 *:* </div><div>LISTEN 0 5 *:88 *:* </div><div>LISTEN 0 128 <a href="http://127.0.0.1:953">127.0.0.1:953</a> *:* </div><div>LISTEN 0 100 *:8443 *:* </div><div>LISTEN 0 128 *:443 *:* </div><div>LISTEN 0 50 *:445 *:* </div><div>LISTEN 0 100 *:1024 *:* </div><div>LISTEN 0 5 *:5666 *:* </div><div>LISTEN 0 1 <a href="http://127.0.0.1:8005">127.0.0.1:8005</a> *:* </div><div>LISTEN 0 50 *:135 *:* </div><div>LISTEN 0 100 <a href="http://127.0.0.1:8009">127.0.0.1:8009</a> *:* </div><div>LISTEN 0 50 :::139 :::* </div><div>LISTEN 0 2 :::749 :::* </div><div>LISTEN 0 5 :::464 :::* </div><div>LISTEN 0 10 :::53 :::* </div><div>LISTEN 0 128 :::22 :::* </div><div>LISTEN 0 5 :::88 :::* </div><div>LISTEN 0 128 :::636 :::* </div><div>LISTEN 0 50 :::445 :::* </div><div>LISTEN 0 100 :::1024 :::* </div><div>LISTEN 0 5 :::5666 :::* </div><div>LISTEN 0 128 :::9090 :::* </div><div>LISTEN 0 128 :::389 :::* </div><div>LISTEN 0 50 :::135 :::* </div></div><div> </div></div><div><br></div></div></div>
</div>