On ke, 02 loka 2019, Bernard Lheureux via FreeIPA-users wrote:
Hi all,
After a fresh install of FreeIPA 4.6.5-11.el7.centos.x86_64, fully
updated from update repo on a CentOS7 x64 server, it appears that it is
totally impossible to establish a trust with an AD running on local AD
servers, we did it a few times ago with exactly the same distribution
and had really no problem, we tried to completely reinstall the machine
and the IPA wit always the same results, ipa: ERROR: CIFS server
communication error: code "3221225506", message "{Access Denied} A
process has requested access to an object but has not been granted
those access rights." (both may be "None")
Could someone point me to the direction to look for, because we are
going nuts on this ? We found some tips in the /var/log/httpd/errors,
but nothing seems to provide sufficient infos...
[Wed Oct 02 12:54:57.868830 2019] [:error] [pid 2036] ipa: INFO:
[jsonserver_session] admin(a)DOMAIN.INTRA: trust_add/1(u'domain.intra',
trust_type=u'ad', realm_admin=u'admin', realm_passwd=u'********',
bidirectional=True, version=u'2.231'): RemoteRetrieveError The IPA
server and the AD servers are in the same VLan with no firewall between
them samba version on the IPA server is the latest available:
4.9.1-6.el7.noarch
Are you really adding a trust to AD forest named 'domain.intra' from IPA
domain named 'domain.intra'? In the log above first argument to
'trust_add()' is your AD forest root domain. It cannot be the same as
IPA domain itself which is visible in the authenticated user's
principal.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland