Hi,

The ipa trust-add command expects a domain name, not a server name. Is adtest1.ad.test.example.com a server or a domain?

You can check the DNS requirements in this doc: https://docs.redhat.com/en/documentation/Red_Hat_Enterprise_Linux/9/html/installing_trust_between_idm_and_ad/configuring-dns-and-realm-settings-for-a-trust_installing-trust-between-idm-and-ad

HTH,
flo

On Mon, Jul 29, 2024 at 10:08 PM Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
If you don't have DNS configured then this is not a dnssec issue.
Creating this file is a no-op without bind configured. Which is fine. It
just means it isn't dnssec-related.

rob

Johnnie W Adams via FreeIPA-users wrote:
> I'm on RHEL 9 and have no /etc/named.conf file. I have tried
> creating one, both in /etc and in /etc/named, with the suggested dnssec
> configuration, but that got me no further.
>
> On Fri, Jul 19, 2024 at 2:36 PM Rob Crittenden <rcritten@redhat.com
> <mailto:rcritten@redhat.com>> wrote:
>
>     Johnnie W Adams wrote:
>     > So I adjusted my command line to point at the entire forest and not a
>     > single domain controller, and got both a trust and a much more
>     > interesting error:
>     >
>     > ipa: INFO: Response: {
>     >
>     >     "error": {
>     >
>     >         "code": 906,
>     >
>     >         "data": {
>     >
>     >             "error": "Fetching domains from trusted forest failed. See
>     > details in the error_log",
>     >
>     >             "server": "rhidm1.net.example.com
>     <http://rhidm1.net.example.com>
>     > <http://rhidm1.net.example.com>"
>     >
>     >         },
>     >
>     >         "message": "error on server 'rhidm1.net.example.com
>     <http://rhidm1.net.example.com>
>     > <http://rhidm1.net.example.com>': Fetching domains from trusted forest
>     > failed. See details in the error_log",
>     >
>     >         "name": "ServerCommandError"
>     >
>     >     },
>     >
>     >     "id": 0,
>     >
>     >     "principal": "admin@NET.EXAMPLE.COM
>     <mailto:admin@NET.EXAMPLE.COM> <mailto:admin@NET.EXAMPLE.COM
>     <mailto:admin@NET.EXAMPLE.COM>>",
>     >
>     >     "result": null,
>     >
>     >     "version": "4.11.0"
>     >
>     > }
>     >
>     > ipa: ERROR: error on server 'rhidm1.net.example.com
>     <http://rhidm1.net.example.com>
>     > <http://rhidm1.net.example.com>': Fetching domains from trusted forest
>     > failed. See details in the error_log
>     >
>     >
>     > From the error_log:
>     >
>     >
>     > [Fri Jul 19 12:31:51.363222 2024] [wsgi:error] [pid 522388:tid 522652]
>     > [remote <ip address>:39124] ipa: ERROR: Helper fetch_domains was
>     called
>     > for forest ad.test.example.com <http://ad.test.example.com>
>     <http://ad.test.example.com>, return code
>     > is 1
>     >
>     > [Fri Jul 19 12:31:51.363750 2024] [wsgi:error] [pid 522388:tid 522652]
>     > [remote <ip address>:39124] ipa: ERROR: Standard output from the
>     helper:
>     >
>     >
>     > <snip>
>     >
>     >
>     > [Fri Jul 19 12:31:51.364596 2024] [wsgi:error] [pid 522388:tid 522652]
>     > [remote <ip address>:39124] ipa: ERROR: environment: environ({'LANG':
>     > 'en_US.UTF-8', 'PATH':
>     > '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin', 'PIDFILE':
>     > '/run/oddjobd.pid', 'INVOCATION_ID':
>     '002ac795667b4ab983ffa100b2f47dd8',
>     > 'JOURNAL_STREAM': '8:36642766', 'SYSTEMD_EXEC_PID': '487987',
>     'LC_ALL':
>     > 'C.UTF-8', 'ODDJOB_SERVICE_NAME': 'com.redhat.idm.trust',
>     > 'ODDJOB_OBJECT_PATH': '/', 'ODDJOB_INTERFACE_NAME':
>     > 'com.redhat.idm.trust', 'ODDJOB_METHOD_NAME': 'fetch_domains',
>     > 'ODDJOB_CALLING_USER': 'ipaapi', 'KRB5_CONFIG': '/etc/krb5.conf',
>     > 'KRB5CCNAME': '/run/ipa/krb5cc_oddjob_trusts_fetch'})
>     >
>     >
>     > What am I looking at? What am I missing?
>     >
>
>     Is DNSSEC enabled? See https://access.redhat.com/solutions/2263991
>
>     rob
>
>
>
> --
> John Adams
> Senior Linux/Middleware Administrator  | Information Technology Services
> +1-501-916-3010 | jxadams@ualr.edu <mailto:jxadams@ualr.edu> |
> http://ualr.edu/itservices
> *UA Little Rock*
> *
> *
>
> Reminder:  IT Services will never ask for your password over the phone
> or in an email. Always be suspicious of requests for personal
> information that come via email, even from known contacts.  For more
> information or to report suspicious email, visit IT Security
> <http://ualr.edu/itservices/security/>.**
>
>

--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue