Johnnie W Adams wrote:
> So I adjusted my command line to point at the entire forest and not a
> single domain controller, and got both a trust and a much more
> interesting error:
>
> ipa: INFO: Response: {
>
> "error": {
>
> "code": 906,
>
> "data": {
>
> "error": "Fetching domains from trusted forest failed. See
> details in the error_log",
>
> "server": "rhidm1.net.example.com
> <http://rhidm1.net.example.com>"
>
> },
>
> "message": "error on server 'rhidm1.net.example.com
> <http://rhidm1.net.example.com>': Fetching domains from trusted forest
> failed. See details in the error_log",
>
> "name": "ServerCommandError"
>
> },
>
> "id": 0,
>
> "principal": "admin@NET.EXAMPLE.COM <mailto:admin@NET.EXAMPLE.COM>",
>
> "result": null,
>
> "version": "4.11.0"
>
> }
>
> ipa: ERROR: error on server 'rhidm1.net.example.com
> <http://rhidm1.net.example.com>': Fetching domains from trusted forest
> failed. See details in the error_log
>
>
> From the error_log:
>
>
> [Fri Jul 19 12:31:51.363222 2024] [wsgi:error] [pid 522388:tid 522652]
> [remote <ip address>:39124] ipa: ERROR: Helper fetch_domains was called
> for forest ad.test.example.com <http://ad.test.example.com>, return code
> is 1
>
> [Fri Jul 19 12:31:51.363750 2024] [wsgi:error] [pid 522388:tid 522652]
> [remote <ip address>:39124] ipa: ERROR: Standard output from the helper:
>
>
> <snip>
>
>
> [Fri Jul 19 12:31:51.364596 2024] [wsgi:error] [pid 522388:tid 522652]
> [remote <ip address>:39124] ipa: ERROR: environment: environ({'LANG':
> 'en_US.UTF-8', 'PATH':
> '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin', 'PIDFILE':
> '/run/oddjobd.pid', 'INVOCATION_ID': '002ac795667b4ab983ffa100b2f47dd8',
> 'JOURNAL_STREAM': '8:36642766', 'SYSTEMD_EXEC_PID': '487987', 'LC_ALL':
> 'C.UTF-8', 'ODDJOB_SERVICE_NAME': 'com.redhat.idm.trust',
> 'ODDJOB_OBJECT_PATH': '/', 'ODDJOB_INTERFACE_NAME':
> 'com.redhat.idm.trust', 'ODDJOB_METHOD_NAME': 'fetch_domains',
> 'ODDJOB_CALLING_USER': 'ipaapi', 'KRB5_CONFIG': '/etc/krb5.conf',
> 'KRB5CCNAME': '/run/ipa/krb5cc_oddjob_trusts_fetch'})
>
>
> What am I looking at? What am I missing?
>
Is DNSSEC enabled? See https://access.redhat.com/solutions/2263991
rob
Reminder: IT Services will never ask for your password over the phone or in an email. Always be suspicious of requests for personal information that come via email, even from known contacts. For more information or to report suspicious email, visit IT Security.