Hi,
The ipa trust-add command expects a domain name, not a server name. Is adtest1.ad.test.example.com a server or a domain?
You can check the DNS requirements in this doc: https://docs.redhat.com/en/documentation/Red_Hat_Enterprise_Linux/9/html/ins...
HTH, flo
On Mon, Jul 29, 2024 at 10:08 PM Rob Crittenden via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
If you don't have DNS configured then this is not a dnssec issue. Creating this file is a no-op without bind configured. Which is fine. It just means it isn't dnssec-related.
rob
Johnnie W Adams via FreeIPA-users wrote:
I'm on RHEL 9 and have no /etc/named.conf file. I have tried creating one, both in /etc and in /etc/named, with the suggested dnssec configuration, but that got me no further.
On Fri, Jul 19, 2024 at 2:36 PM Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Johnnie W Adams wrote: > So I adjusted my command line to point at the entire forest and
not a
> single domain controller, and got both a trust and a much more > interesting error: > > ipa: INFO: Response: { > > "error": { > > "code": 906, > > "data": { > > "error": "Fetching domains from trusted forest failed.
See
> details in the error_log", > > "server": "rhidm1.net.example.com <http://rhidm1.net.example.com> > <http://rhidm1.net.example.com>" > > }, > > "message": "error on server 'rhidm1.net.example.com <http://rhidm1.net.example.com> > <http://rhidm1.net.example.com>': Fetching domains from trusted
forest
> failed. See details in the error_log", > > "name": "ServerCommandError" > > }, > > "id": 0, > > "principal": "admin@NET.EXAMPLE.COM <mailto:admin@NET.EXAMPLE.COM> <mailto:admin@NET.EXAMPLE.COM <mailto:admin@NET.EXAMPLE.COM>>", > > "result": null, > > "version": "4.11.0" > > } > > ipa: ERROR: error on server 'rhidm1.net.example.com <http://rhidm1.net.example.com> > <http://rhidm1.net.example.com>': Fetching domains from trusted
forest
> failed. See details in the error_log > > > From the error_log: > > > [Fri Jul 19 12:31:51.363222 2024] [wsgi:error] [pid 522388:tid
522652]
> [remote <ip address>:39124] ipa: ERROR: Helper fetch_domains was called > for forest ad.test.example.com <http://ad.test.example.com> <http://ad.test.example.com>, return code > is 1 > > [Fri Jul 19 12:31:51.363750 2024] [wsgi:error] [pid 522388:tid
522652]
> [remote <ip address>:39124] ipa: ERROR: Standard output from the helper: > > > <snip> > > > [Fri Jul 19 12:31:51.364596 2024] [wsgi:error] [pid 522388:tid
522652]
> [remote <ip address>:39124] ipa: ERROR: environment:
environ({'LANG':
> 'en_US.UTF-8', 'PATH': > '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin', 'PIDFILE': > '/run/oddjobd.pid', 'INVOCATION_ID': '002ac795667b4ab983ffa100b2f47dd8', > 'JOURNAL_STREAM': '8:36642766', 'SYSTEMD_EXEC_PID': '487987', 'LC_ALL': > 'C.UTF-8', 'ODDJOB_SERVICE_NAME': 'com.redhat.idm.trust', > 'ODDJOB_OBJECT_PATH': '/', 'ODDJOB_INTERFACE_NAME': > 'com.redhat.idm.trust', 'ODDJOB_METHOD_NAME': 'fetch_domains', > 'ODDJOB_CALLING_USER': 'ipaapi', 'KRB5_CONFIG': '/etc/krb5.conf', > 'KRB5CCNAME': '/run/ipa/krb5cc_oddjob_trusts_fetch'}) > > > What am I looking at? What am I missing? > Is DNSSEC enabled? See https://access.redhat.com/solutions/2263991 rob
-- John Adams Senior Linux/Middleware Administrator | Information Technology Services +1-501-916-3010 | jxadams@ualr.edu mailto:jxadams@ualr.edu | http://ualr.edu/itservices *UA Little Rock*
Reminder: IT Services will never ask for your password over the phone or in an email. Always be suspicious of requests for personal information that come via email, even from known contacts. For more information or to report suspicious email, visit IT Security http://ualr.edu/itservices/security/.**
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue