Johnnie W Adams wrote:
So I adjusted my command line to point at the entire forest and not a single domain controller, and got both a trust and a much more interesting error:
ipa: INFO: Response: {
"error": {
"code": 906,
"data": {
"error": "Fetching domains from trusted forest failed. See details in the error_log",
"server": "rhidm1.net.example.com http://rhidm1.net.example.com"
},
"message": "error on server 'rhidm1.net.example.com http://rhidm1.net.example.com': Fetching domains from trusted forest failed. See details in the error_log",
"name": "ServerCommandError"
},
"id": 0,
"principal": "admin@NET.EXAMPLE.COM mailto:admin@NET.EXAMPLE.COM",
"result": null,
"version": "4.11.0"
}
ipa: ERROR: error on server 'rhidm1.net.example.com http://rhidm1.net.example.com': Fetching domains from trusted forest failed. See details in the error_log
From the error_log:
[Fri Jul 19 12:31:51.363222 2024] [wsgi:error] [pid 522388:tid 522652] [remote <ip address>:39124] ipa: ERROR: Helper fetch_domains was called for forest ad.test.example.com http://ad.test.example.com, return code is 1
[Fri Jul 19 12:31:51.363750 2024] [wsgi:error] [pid 522388:tid 522652] [remote <ip address>:39124] ipa: ERROR: Standard output from the helper:
<snip>
[Fri Jul 19 12:31:51.364596 2024] [wsgi:error] [pid 522388:tid 522652] [remote <ip address>:39124] ipa: ERROR: environment: environ({'LANG': 'en_US.UTF-8', 'PATH': '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin', 'PIDFILE': '/run/oddjobd.pid', 'INVOCATION_ID': '002ac795667b4ab983ffa100b2f47dd8', 'JOURNAL_STREAM': '8:36642766', 'SYSTEMD_EXEC_PID': '487987', 'LC_ALL': 'C.UTF-8', 'ODDJOB_SERVICE_NAME': 'com.redhat.idm.trust', 'ODDJOB_OBJECT_PATH': '/', 'ODDJOB_INTERFACE_NAME': 'com.redhat.idm.trust', 'ODDJOB_METHOD_NAME': 'fetch_domains', 'ODDJOB_CALLING_USER': 'ipaapi', 'KRB5_CONFIG': '/etc/krb5.conf', 'KRB5CCNAME': '/run/ipa/krb5cc_oddjob_trusts_fetch'})
What am I looking at? What am I missing?
Is DNSSEC enabled? See https://access.redhat.com/solutions/2263991
rob