<html><head></head><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px"><div id="yui_3_16_0_ym19_1_1465504982716_12476"><span id="yui_3_16_0_ym19_1_1465504982716_12477">Sorry about replying privately.</span></div><div id="yui_3_16_0_ym19_1_1465504982716_12476"><span id="yui_3_16_0_ym19_1_1465504982716_12526"><br>dig provides ipv4 addresses as expected.<br>For example :<br></span></div><div id="yui_3_16_0_ym19_1_1465504982716_12478" dir="ltr">root@ipaserver.ipadomain.com:~#  dig SRV _ldap._tcp.addomain.com</div><div id="yui_3_16_0_ym19_1_1465504982716_12479" dir="ltr">#this is run on the FreeIPA where idm is installed as well as integrated DNS with the addomain.com stub zone that points to #dc.addomain.com</div><div id="yui_3_16_0_ym19_1_1465504982716_12481">;; QUESTION SECTION:<br></div><div id="yui_3_16_0_ym19_1_1465504982716_12491">;_ldap._tcp.addomain.com.    IN      SRV</div><div id="yui_3_16_0_ym19_1_1465504982716_12492"><br id="yui_3_16_0_ym19_1_1465504982716_12493"></div><div id="yui_3_16_0_ym19_1_1465504982716_12494">;; ANSWER SECTION:</div><div id="yui_3_16_0_ym19_1_1465504982716_12495">_ldap._tcp.addomain.com. 86400 IN    SRV     0 100 389 dc.addomain.com.</div><div id="yui_3_16_0_ym19_1_1465504982716_12496"><br id="yui_3_16_0_ym19_1_1465504982716_12497"></div><div id="yui_3_16_0_ym19_1_1465504982716_12498">;; AUTHORITY SECTION:</div><div id="yui_3_16_0_ym19_1_1465504982716_12499" dir="ltr">addomain.com.        86400   IN      NS      ipadomain.com</div><div id="yui_3_16_0_ym19_1_1465504982716_12500"><br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1465504982716_12511"><br id="yui_3_16_0_ym19_1_1465504982716_12512"></div><div class="qtdSeparateBR" id="yui_3_16_0_ym19_1_1465504982716_12383">But just in case I have edited /etc/gai.conf with the following<br><div id="yui_3_16_0_ym19_1_1465504982716_12750">label       ::1/128        0</div><div id="yui_3_16_0_ym19_1_1465504982716_12751">label       ::/0           1</div><div id="yui_3_16_0_ym19_1_1465504982716_12752">label       2002::/16      2</div><div id="yui_3_16_0_ym19_1_1465504982716_12753">label       ::/96          3</div><div id="yui_3_16_0_ym19_1_1465504982716_12754">label       ::ffff:0:0/96  4</div><div id="yui_3_16_0_ym19_1_1465504982716_12755">precedence  ::1/128        50</div><div id="yui_3_16_0_ym19_1_1465504982716_12756">precedence  ::/0           40</div><div id="yui_3_16_0_ym19_1_1465504982716_12757">precedence  2002::/16      30</div><div id="yui_3_16_0_ym19_1_1465504982716_12758">precedence  ::/96          20</div><div dir="ltr" id="yui_3_16_0_ym19_1_1465504982716_12759">precedence  ::ffff:0:0/96  100</div><div dir="ltr" id="yui_3_16_0_ym19_1_1465504982716_12759"><br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1465504982716_12759">and restarted ipa and dns<br>ipactl stop/start and rndc reload<br><br>The trust setup still results in<br><div dir="ltr" id="yui_3_16_0_ym19_1_1465504982716_12917">Shared secret for the trust:</div><div dir="ltr" id="yui_3_16_0_ym19_1_1465504982716_12918">: ERROR: CIFS server communication error: code "None",</div><div dir="ltr" id="yui_3_16_0_ym19_1_1465504982716_12919">                  message "NT_STATUS_IO_TIMEOUT" (both may be "None")</div><div dir="ltr" id="yui_3_16_0_ym19_1_1465504982716_12920"><br id="yui_3_16_0_ym19_1_1465504982716_12921"></div></div>If you want I can provide with logs.<br><br>thanks for the help</div><div class="yahoo_quoted" id="yui_3_16_0_ym19_1_1465504982716_12406" style="display: block;">  <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;" id="yui_3_16_0_ym19_1_1465504982716_12405"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;" id="yui_3_16_0_ym19_1_1465504982716_12404"> <div dir="ltr" id="yui_3_16_0_ym19_1_1465504982716_12403"> <font size="2" face="Arial" id="yui_3_16_0_ym19_1_1465504982716_12407"> <hr size="1" id="yui_3_16_0_ym19_1_1465504982716_12760"> <b id="yui_3_16_0_ym19_1_1465504982716_12909"><span style="font-weight:bold;" id="yui_3_16_0_ym19_1_1465504982716_12908">From:</span></b> Alexander Bokovoy <abokovoy@redhat.com><br> <b><span style="font-weight: bold;">To:</span></b> pgb205 <pgb205@yahoo.com> <br><b><span style="font-weight: bold;">Cc:</span></b> freeipa-users@redhat.com<br> <b><span style="font-weight: bold;">Sent:</span></b> Friday, June 10, 2016 12:14 AM<br> <b id="yui_3_16_0_ym19_1_1465504982716_12802"><span style="font-weight: bold;" id="yui_3_16_0_ym19_1_1465504982716_12801">Subject:</span></b> Re: [Freeipa-users] Can't establish trust with 2008 AD<br> </font> </div> <div class="y_msg_container" id="yui_3_16_0_ym19_1_1465504982716_12408"><br>Please don't answer directly, use mailing list.<br clear="none"><br clear="none">On Thu, 09 Jun 2016, pgb205 wrote:<br clear="none">>Alexander,<br clear="none">><br clear="none">>As far as I can say ipv6 is enabled in the kernel, as the tutorial<br clear="none">>suggests, although none of the interfaces have ipv6 addresses.<br clear="none">><br clear="none">>For example,<br clear="none">> ip a | grep inet6<br clear="none">>    inet6 ::1/128 scope host<br clear="none">><br clear="none">>and<br clear="none">>ip -6 address show<br clear="none">> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536<br clear="none">>    inet6 ::1/128 scope host<br clear="none">><br clear="none">>root@:~# cat /proc/sys/net/ipv6/conf/all/disable_ipv6<br clear="none">>0<br clear="none">>root@:~# cat /proc/sys/net/ipv6/conf/default/disable_ipv6<br clear="none">>0<br clear="none">Does any of your DNS servers respond with IPv6 addresses for AD DCs?<br clear="none">glibc DNS resolver prefers IPv6 over IPv4 in the default configuration<br clear="none">and if that happens, without IPv6 routes it becomes unreachable.<br clear="none"><br clear="none">You can control how DNS resolver works with /etc/gai.conf (does not<br clear="none">exist by default, see man page gai.conf for details) and can set IPv4<br clear="none">preference over IPv6 there, either globally or per host.<div class="yqt8613156628" id="yqtfd47756"><br clear="none"><br clear="none">><br clear="none">><br clear="none">>      From: Alexander Bokovoy <<a shape="rect" ymailto="mailto:abokovoy@redhat.com" href="mailto:abokovoy@redhat.com">abokovoy@redhat.com</a>><br clear="none">> To: pgb205 <<a shape="rect" ymailto="mailto:pgb205@yahoo.com" href="mailto:pgb205@yahoo.com">pgb205@yahoo.com</a>><br clear="none">>Cc: "<a shape="rect" ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>" <<a shape="rect" ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>><br clear="none">> Sent: Thursday, June 9, 2016 4:30 PM<br clear="none">> Subject: Re: [Freeipa-users] Can't establish trust with 2008 AD<br clear="none">><br clear="none">>On Thu, 09 Jun 2016, pgb205 wrote:<br clear="none">>>The setup is:AD 2008 domain,Latest version of FreeIpa with integrated<br clear="none">>>DNS,As the AD domain is not known to any DNS servers on the network I<br clear="none">>>have created a stub zone in Freeipa integrated dns server<br clear="none">>>addomain.com,and created A-record for DC.addomain.comas well as<br clear="none">>>_ldap.tcp.addomain.com and _kerberos.udp.addomain.comand checked with<br clear="none">>>dig that they resolve correctly, 138/139/145/389 are opened between the<br clear="none">>>servers on both tcp and udp portsipv6 enabled on the FreeIpa server. I<br clear="none">>>am using pre-shared secret to establish the trust<br clear="none">>>Run:ipa trust-add --type=ad addomain.com --trust-secret  <pre-shared key><br clear="none">>>and receive:<br clear="none">>>ipa: ERROR: CIFS server communication error: code "None",                  message "NT_STATUS_IO_TIMEOUT" (both may be "None")<br clear="none">>><br clear="none">>>I've enabled the logs as described in debugging section (I would be glad to forward the whole thing if needed)However, relevant error that I see is :<br clear="none">>>finddcs: DNS SRV response 0 at '<ipaddr>'finddcs: performing CLDAP<br clear="none">>>query on <ipaddr>s4_tevent: Added timed event "tevent_req_timedout":<br clear="none">>>0x7f21302a8b10s4_tevent: Schedule immediate event "tevent_req_trigger":<br clear="none">>>0x7f2130025090s4_tevent: Run immediate event "tevent_req_trigger":<br clear="none">>>0x7f2130025090s4_tevent: Added timed event "tevent_req_timedout":<br clear="none">>>0x7f213025cb90s4_tevent: Running timer event 0x7f213025cb90<br clear="none">>>"tevent_req_timedout"s4_tevent: Schedule immediate event<br clear="none">>>"tevent_req_trigger": 0x7f2130045b50s4_tevent: Ending timer event<br clear="none">>>0x7f213025cb90 "tevent_req_timedout"s4_tevent: Run immediate event<br clear="none">>>"tevent_req_trigger": 0x7f2130045b50s4_tevent: Added timed event<br clear="none">>>"tevent_req_timedout": 0x7f213025cb90s4_tevent: Running timer event<br clear="none">>>0x7f213025cb90 "tevent_req_timedout"s4_tevent: Schedule immediate event<br clear="none">>>"tevent_req_trigger": 0x7f213001d230s4_tevent: Ending timer event<br clear="none">>>0x7f213025cb90 "tevent_req_timedout"s4_tevent: Run immediate event<br clear="none">>>"tevent_req_trigger": 0x7f213001d230s4_tevent: Added timed event<br clear="none">>>"tevent_req_timedout": 0x7f213025cb90s4_tevent: Running timer event<br clear="none">>>0x7f21302a8b10 "tevent_req_timedout"s4_tevent: Destroying timer event<br clear="none">>>0x7f213025cb90 "tevent_req_timedout"finddcs: No matching CLDAP server<br clear="none">>>founds4_tevent: Ending timer event 0x7f21302a8b10<br clear="none">>>"tevent_req_timedout"[Thu Jun 09 20:39:38.703506 2016] [:error] [pid<br clear="none">>>2503] ipa: INFO: [jsonserver_session] admin@<ipadomain.com>:<br clear="none">>>trust_add(u'addomain.com', trust_type=u'ad', trust_secret=u'********',<br clear="none">>>all=False, raw=False, version=u'2.156'): RemoteRetrieveError Once again<br clear="none">>>I would be glad to provide entire logs if needed. But would be grateful<br clear="none">>>for suggestions on how to resolve the above error.<br clear="none">>Do you have IPv6 disabled?<br clear="none">>www.freeipa.org/page/Active_Directory_trust_setup#IPv6_stack_usage<br clear="none">>-- <br clear="none">>/ Alexander Bokovoy<br clear="none">><br clear="none">><br clear="none">><br clear="none"><br clear="none">-- <br clear="none">/ Alexander Bokovoy<br clear="none"></div><br><br></div> </div> </div>  </div></div></body></html>