On 5/30/18, 10:59 PM, "Alexander Bokovoy" <aboko...@redhat.com> wrote:
On ke, 30 touko 2018, Merritt, Todd R - (tmerritt) wrote:
>
>
>On 5/29/18, 7:59 PM, "Alexander Bokovoy" <aboko...@redhat.com> wrote:
>
> On ti, 29 touko 2018, Merritt, Todd R - (tmerritt) via FreeIPA-users
wrote:
> >Hi,
> > I'm trying to establish a two way trust with an AD
> > domain and seem to be running into some issues. I am
> > able to establish a one way trust following the guide
> > at
> >
https://www.freeipa.org/page/Active_Directory_trust_setup
> > without any issues. When I destroy that trust and try
> > to establish a new one with two-way specified to the
> > same AD domain it throws what I believe to be a
> > misleading error message and the trust is not
> > established.
> How did you destroy that trust?
>
> >[root@IPA.DOMAIN /]# ipa trust-add --type=ad AD_DOMAIN --admin
AD_ADMIN_USER --password --two-way=true
> >Active Directory domain administrator's password:
> >ipa: ERROR: AD DC was unable to reach any IPA domain controller. Most
likely it is a DNS or firewall issue
> >
> >I've checked that both the AD DC and the free IPA hosts can resolve
the
> >service entries and verified that there are no firewall blocks in
place
> >between these two hosts. I believe the issue is an LDAP permission
> >issue of some sort based on the following log snippet
> Add 'log level = 100' to /usr/share/ipa/smb.conf.empty and re-try with
> 'ipa trust-add'. You'll get additional debug information in httpd's
> error_log. Provide that one off-list.
>
>Thanks, I removed it with trust-del
>
>[root@IPA.DOMAIN /]# ipa trust-del AD_DOMAIN
>-------------------------
>Deleted trust "AD_DOMAIN"
>-------------------------
>
>I'll send you a copy of the http error log directly.
Thanks. Looking at the error_log, I see two issues:
Validation of trust failed because AD DCs were unable to reach to IPA
DCs. This typically means AD DCs unable to discover IPA DCs over DNS SRV
records -- they look up using standard Active Directory discovery means,
e.g. trying to find out SRV record for
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.$IPA_DOMAIN
Can you show output of 'ipa dns-update-system-records --dry-run'?
netr_LogonControl2Ex: struct netr_LogonControl2Ex
out: struct netr_LogonControl2Ex
query : *
query : union
netr_CONTROL_QUERY_INFORMATION(case 2)
info2 : *
info2: struct netr_NETLOGON_INFO_2
flags : 0x00000080 (128)
0: NETLOGON_REPLICATION_NEEDED
0: NETLOGON_REPLICATION_IN_PROGRESS
0: NETLOGON_FULL_SYNC_REPLICATION
0: NETLOGON_REDO_NEEDED
0: NETLOGON_HAS_IP
0: NETLOGON_HAS_TIMESERV
0: NETLOGON_DNS_UPDATE_FAILURE
1: NETLOGON_VERIFY_STATUS_RETURNED
pdc_connection_status : WERR_NO_LOGON_SERVERS
trusted_dc_name : *
trusted_dc_name : ''
tc_connection_status : WERR_NO_LOGON_SERVERS
result : WERR_OK
[root@IPA /]# rpm -q ipa-server
ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64
[root@IPA /]# ipa dns-update-system-records --dry-run
ipa: ERROR: unknown command 'dns-update-system-records'
If I try to manually lookup that domain I get an NXDOMAIN
[root@IPA /]# nslookup -type=srv
ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.IPA_DOMAIN
Server: 127.0.0.1
Address: 127.0.0.1#53
** server can't find
ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.IPA_DOMAIN: NXDOMAIN
--
Thanks,
Todd
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/653MTI3FOL5MBD3BD7QQBUGIAYAWOQZJ/
