Hi, folks,
Everywhere I check, I see this error associated with firewall issues. To get around that, I put my box on the same network segment as the ad boxes. No firewall between them. But I am still getting this message when I try to create a trust: ipa: ERROR: Cannot find specified domain or server name
The error in /var/log/httpd is:
[wsgi:error] [pid 506950:tid 507279] [remote <ip address>:53320] ipa: INFO: [jsonserver_session] admin@NET.EXAMPLE.COM: trust_add/1(' adtest1.ad.test.example.com', trust_type='ad', realm_admin='me', realm_passwd='********', range_type='ipa-ad-trust', version='2.253'): NotFound
Any thoughts? What exactly is being not found?
Thanks,
John A
I should add that this is the error message when I run with the -vv switch:
ipa: INFO: Response: {
"error": {
"code": 4001,
"data": {
"reason": "Cannot find specified domain or server name"
},
"message": "Cannot find specified domain or server name",
"name": "NotFound"
},
"id": 0,
"principal": "admin@NET.EXAMPLE.COM",
"result": null,
"version": "4.11.0"
}
Johnnie W Adams via FreeIPA-users wrote:
Hi, folks,
Everywhere I check, I see this error associated with firewall issues. To get around that, I put my box on the same network segment as the ad boxes. No firewall between them. But I am still getting this message when I try to create a trust: ipa: ERROR: Cannot find specified domain or server name
The error in /var/log/httpd is:
[wsgi:error] [pid 506950:tid 507279] [remote <ip address>:53320] ipa: INFO: [jsonserver_session] admin@NET.EXAMPLE.COM mailto:admin@NET.EXAMPLE.COM: trust_add/1('adtest1.ad.test.example.com http://adtest1.ad.test.example.com', trust_type='ad', realm_admin='me', realm_passwd='********', range_type='ipa-ad-trust', version='2.253'): NotFound
Any thoughts? What exactly is being not found?
You need to enable debugging and re-run 'ipa trust-add':
- set 'log level = 50' in /usr/share/ipa/smb.conf.empty - Add [global] debug = True in /etc/ipa/server.conf (create file if missing) - restart httpd (systemctl restart httpd) - re-try 'ipa trust-add'
Then look into what was logged in /var/log/httpd/error_log.
Also look on the AD side to see if the trust was created.
rob
That's some verbose error logging! I think I've found the relevant line, though:
dns child failed to find name '_ldap._tcp.adtest1.ad.test.example.com' of type SRV
I checked with dig, and this record does not appear.
So I adjusted my command line to point at the entire forest and not a single domain controller, and got both a trust and a much more interesting error:
ipa: INFO: Response: {
"error": {
"code": 906,
"data": {
"error": "Fetching domains from trusted forest failed. See details in the error_log",
"server": "rhidm1.net.example.com"
},
"message": "error on server 'rhidm1.net.example.com': Fetching domains from trusted forest failed. See details in the error_log",
"name": "ServerCommandError"
},
"id": 0,
"principal": "admin@NET.EXAMPLE.COM",
"result": null,
"version": "4.11.0"
}
ipa: ERROR: error on server 'rhidm1.net.example.com': Fetching domains from trusted forest failed. See details in the error_log
From the error_log:
[Fri Jul 19 12:31:51.363222 2024] [wsgi:error] [pid 522388:tid 522652] [remote <ip address>:39124] ipa: ERROR: Helper fetch_domains was called for forest ad.test.example.com, return code is 1
[Fri Jul 19 12:31:51.363750 2024] [wsgi:error] [pid 522388:tid 522652] [remote <ip address>:39124] ipa: ERROR: Standard output from the helper:
<snip>
[Fri Jul 19 12:31:51.364596 2024] [wsgi:error] [pid 522388:tid 522652] [remote <ip address>:39124] ipa: ERROR: environment: environ({'LANG': 'en_US.UTF-8', 'PATH': '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin', 'PIDFILE': '/run/oddjobd.pid', 'INVOCATION_ID': '002ac795667b4ab983ffa100b2f47dd8', 'JOURNAL_STREAM': '8:36642766', 'SYSTEMD_EXEC_PID': '487987', 'LC_ALL': 'C.UTF-8', 'ODDJOB_SERVICE_NAME': 'com.redhat.idm.trust', 'ODDJOB_OBJECT_PATH': '/', 'ODDJOB_INTERFACE_NAME': 'com.redhat.idm.trust', 'ODDJOB_METHOD_NAME': 'fetch_domains', 'ODDJOB_CALLING_USER': 'ipaapi', 'KRB5_CONFIG': '/etc/krb5.conf', 'KRB5CCNAME': '/run/ipa/krb5cc_oddjob_trusts_fetch'})
What am I looking at? What am I missing?
Johnnie W Adams wrote:
So I adjusted my command line to point at the entire forest and not a single domain controller, and got both a trust and a much more interesting error:
ipa: INFO: Response: {
"error": {
"code": 906,
"data": {
"error": "Fetching domains from trusted forest failed. See details in the error_log",
"server": "rhidm1.net.example.com http://rhidm1.net.example.com"
},
"message": "error on server 'rhidm1.net.example.com http://rhidm1.net.example.com': Fetching domains from trusted forest failed. See details in the error_log",
"name": "ServerCommandError"
},
"id": 0,
"principal": "admin@NET.EXAMPLE.COM mailto:admin@NET.EXAMPLE.COM",
"result": null,
"version": "4.11.0"
}
ipa: ERROR: error on server 'rhidm1.net.example.com http://rhidm1.net.example.com': Fetching domains from trusted forest failed. See details in the error_log
From the error_log:
[Fri Jul 19 12:31:51.363222 2024] [wsgi:error] [pid 522388:tid 522652] [remote <ip address>:39124] ipa: ERROR: Helper fetch_domains was called for forest ad.test.example.com http://ad.test.example.com, return code is 1
[Fri Jul 19 12:31:51.363750 2024] [wsgi:error] [pid 522388:tid 522652] [remote <ip address>:39124] ipa: ERROR: Standard output from the helper:
<snip>
[Fri Jul 19 12:31:51.364596 2024] [wsgi:error] [pid 522388:tid 522652] [remote <ip address>:39124] ipa: ERROR: environment: environ({'LANG': 'en_US.UTF-8', 'PATH': '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin', 'PIDFILE': '/run/oddjobd.pid', 'INVOCATION_ID': '002ac795667b4ab983ffa100b2f47dd8', 'JOURNAL_STREAM': '8:36642766', 'SYSTEMD_EXEC_PID': '487987', 'LC_ALL': 'C.UTF-8', 'ODDJOB_SERVICE_NAME': 'com.redhat.idm.trust', 'ODDJOB_OBJECT_PATH': '/', 'ODDJOB_INTERFACE_NAME': 'com.redhat.idm.trust', 'ODDJOB_METHOD_NAME': 'fetch_domains', 'ODDJOB_CALLING_USER': 'ipaapi', 'KRB5_CONFIG': '/etc/krb5.conf', 'KRB5CCNAME': '/run/ipa/krb5cc_oddjob_trusts_fetch'})
What am I looking at? What am I missing?
Is DNSSEC enabled? See https://access.redhat.com/solutions/2263991
rob
I'm on RHEL 9 and have no /etc/named.conf file. I have tried creating one, both in /etc and in /etc/named, with the suggested dnssec configuration, but that got me no further.
On Fri, Jul 19, 2024 at 2:36 PM Rob Crittenden rcritten@redhat.com wrote:
Johnnie W Adams wrote:
So I adjusted my command line to point at the entire forest and not a single domain controller, and got both a trust and a much more interesting error:
ipa: INFO: Response: {
"error": { "code": 906, "data": { "error": "Fetching domains from trusted forest failed. See
details in the error_log",
"server": "rhidm1.net.example.com
http://rhidm1.net.example.com"
}, "message": "error on server 'rhidm1.net.example.com
http://rhidm1.net.example.com': Fetching domains from trusted forest failed. See details in the error_log",
"name": "ServerCommandError" }, "id": 0, "principal": "admin@NET.EXAMPLE.COM <mailto:admin@NET.EXAMPLE.COM>", "result": null, "version": "4.11.0"
}
ipa: ERROR: error on server 'rhidm1.net.example.com http://rhidm1.net.example.com': Fetching domains from trusted forest failed. See details in the error_log
From the error_log:
[Fri Jul 19 12:31:51.363222 2024] [wsgi:error] [pid 522388:tid 522652] [remote <ip address>:39124] ipa: ERROR: Helper fetch_domains was called for forest ad.test.example.com http://ad.test.example.com, return code is 1
[Fri Jul 19 12:31:51.363750 2024] [wsgi:error] [pid 522388:tid 522652] [remote <ip address>:39124] ipa: ERROR: Standard output from the helper:
<snip>
[Fri Jul 19 12:31:51.364596 2024] [wsgi:error] [pid 522388:tid 522652] [remote <ip address>:39124] ipa: ERROR: environment: environ({'LANG': 'en_US.UTF-8', 'PATH': '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin', 'PIDFILE': '/run/oddjobd.pid', 'INVOCATION_ID': '002ac795667b4ab983ffa100b2f47dd8', 'JOURNAL_STREAM': '8:36642766', 'SYSTEMD_EXEC_PID': '487987', 'LC_ALL': 'C.UTF-8', 'ODDJOB_SERVICE_NAME': 'com.redhat.idm.trust', 'ODDJOB_OBJECT_PATH': '/', 'ODDJOB_INTERFACE_NAME': 'com.redhat.idm.trust', 'ODDJOB_METHOD_NAME': 'fetch_domains', 'ODDJOB_CALLING_USER': 'ipaapi', 'KRB5_CONFIG': '/etc/krb5.conf', 'KRB5CCNAME': '/run/ipa/krb5cc_oddjob_trusts_fetch'})
What am I looking at? What am I missing?
Is DNSSEC enabled? See https://access.redhat.com/solutions/2263991
rob
If you don't have DNS configured then this is not a dnssec issue. Creating this file is a no-op without bind configured. Which is fine. It just means it isn't dnssec-related.
rob
Johnnie W Adams via FreeIPA-users wrote:
I'm on RHEL 9 and have no /etc/named.conf file. I have tried creating one, both in /etc and in /etc/named, with the suggested dnssec configuration, but that got me no further.
On Fri, Jul 19, 2024 at 2:36 PM Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Johnnie W Adams wrote: > So I adjusted my command line to point at the entire forest and not a > single domain controller, and got both a trust and a much more > interesting error: > > ipa: INFO: Response: { > > "error": { > > "code": 906, > > "data": { > > "error": "Fetching domains from trusted forest failed. See > details in the error_log", > > "server": "rhidm1.net.example.com <http://rhidm1.net.example.com> > <http://rhidm1.net.example.com>" > > }, > > "message": "error on server 'rhidm1.net.example.com <http://rhidm1.net.example.com> > <http://rhidm1.net.example.com>': Fetching domains from trusted forest > failed. See details in the error_log", > > "name": "ServerCommandError" > > }, > > "id": 0, > > "principal": "admin@NET.EXAMPLE.COM <mailto:admin@NET.EXAMPLE.COM> <mailto:admin@NET.EXAMPLE.COM <mailto:admin@NET.EXAMPLE.COM>>", > > "result": null, > > "version": "4.11.0" > > } > > ipa: ERROR: error on server 'rhidm1.net.example.com <http://rhidm1.net.example.com> > <http://rhidm1.net.example.com>': Fetching domains from trusted forest > failed. See details in the error_log > > > From the error_log: > > > [Fri Jul 19 12:31:51.363222 2024] [wsgi:error] [pid 522388:tid 522652] > [remote <ip address>:39124] ipa: ERROR: Helper fetch_domains was called > for forest ad.test.example.com <http://ad.test.example.com> <http://ad.test.example.com>, return code > is 1 > > [Fri Jul 19 12:31:51.363750 2024] [wsgi:error] [pid 522388:tid 522652] > [remote <ip address>:39124] ipa: ERROR: Standard output from the helper: > > > <snip> > > > [Fri Jul 19 12:31:51.364596 2024] [wsgi:error] [pid 522388:tid 522652] > [remote <ip address>:39124] ipa: ERROR: environment: environ({'LANG': > 'en_US.UTF-8', 'PATH': > '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin', 'PIDFILE': > '/run/oddjobd.pid', 'INVOCATION_ID': '002ac795667b4ab983ffa100b2f47dd8', > 'JOURNAL_STREAM': '8:36642766', 'SYSTEMD_EXEC_PID': '487987', 'LC_ALL': > 'C.UTF-8', 'ODDJOB_SERVICE_NAME': 'com.redhat.idm.trust', > 'ODDJOB_OBJECT_PATH': '/', 'ODDJOB_INTERFACE_NAME': > 'com.redhat.idm.trust', 'ODDJOB_METHOD_NAME': 'fetch_domains', > 'ODDJOB_CALLING_USER': 'ipaapi', 'KRB5_CONFIG': '/etc/krb5.conf', > 'KRB5CCNAME': '/run/ipa/krb5cc_oddjob_trusts_fetch'}) > > > What am I looking at? What am I missing? > Is DNSSEC enabled? See https://access.redhat.com/solutions/2263991 rob
-- John Adams Senior Linux/Middleware Administrator | Information Technology Services +1-501-916-3010 | jxadams@ualr.edu mailto:jxadams@ualr.edu | http://ualr.edu/itservices *UA Little Rock*
Reminder: IT Services will never ask for your password over the phone or in an email. Always be suspicious of requests for personal information that come via email, even from known contacts. For more information or to report suspicious email, visit IT Security http://ualr.edu/itservices/security/.**
Hi,
The ipa trust-add command expects a domain name, not a server name. Is adtest1.ad.test.example.com a server or a domain?
You can check the DNS requirements in this doc: https://docs.redhat.com/en/documentation/Red_Hat_Enterprise_Linux/9/html/ins...
HTH, flo
On Mon, Jul 29, 2024 at 10:08 PM Rob Crittenden via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
If you don't have DNS configured then this is not a dnssec issue. Creating this file is a no-op without bind configured. Which is fine. It just means it isn't dnssec-related.
rob
Johnnie W Adams via FreeIPA-users wrote:
I'm on RHEL 9 and have no /etc/named.conf file. I have tried creating one, both in /etc and in /etc/named, with the suggested dnssec configuration, but that got me no further.
On Fri, Jul 19, 2024 at 2:36 PM Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Johnnie W Adams wrote: > So I adjusted my command line to point at the entire forest and
not a
> single domain controller, and got both a trust and a much more > interesting error: > > ipa: INFO: Response: { > > "error": { > > "code": 906, > > "data": { > > "error": "Fetching domains from trusted forest failed.
See
> details in the error_log", > > "server": "rhidm1.net.example.com <http://rhidm1.net.example.com> > <http://rhidm1.net.example.com>" > > }, > > "message": "error on server 'rhidm1.net.example.com <http://rhidm1.net.example.com> > <http://rhidm1.net.example.com>': Fetching domains from trusted
forest
> failed. See details in the error_log", > > "name": "ServerCommandError" > > }, > > "id": 0, > > "principal": "admin@NET.EXAMPLE.COM <mailto:admin@NET.EXAMPLE.COM> <mailto:admin@NET.EXAMPLE.COM <mailto:admin@NET.EXAMPLE.COM>>", > > "result": null, > > "version": "4.11.0" > > } > > ipa: ERROR: error on server 'rhidm1.net.example.com <http://rhidm1.net.example.com> > <http://rhidm1.net.example.com>': Fetching domains from trusted
forest
> failed. See details in the error_log > > > From the error_log: > > > [Fri Jul 19 12:31:51.363222 2024] [wsgi:error] [pid 522388:tid
522652]
> [remote <ip address>:39124] ipa: ERROR: Helper fetch_domains was called > for forest ad.test.example.com <http://ad.test.example.com> <http://ad.test.example.com>, return code > is 1 > > [Fri Jul 19 12:31:51.363750 2024] [wsgi:error] [pid 522388:tid
522652]
> [remote <ip address>:39124] ipa: ERROR: Standard output from the helper: > > > <snip> > > > [Fri Jul 19 12:31:51.364596 2024] [wsgi:error] [pid 522388:tid
522652]
> [remote <ip address>:39124] ipa: ERROR: environment:
environ({'LANG':
> 'en_US.UTF-8', 'PATH': > '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin', 'PIDFILE': > '/run/oddjobd.pid', 'INVOCATION_ID': '002ac795667b4ab983ffa100b2f47dd8', > 'JOURNAL_STREAM': '8:36642766', 'SYSTEMD_EXEC_PID': '487987', 'LC_ALL': > 'C.UTF-8', 'ODDJOB_SERVICE_NAME': 'com.redhat.idm.trust', > 'ODDJOB_OBJECT_PATH': '/', 'ODDJOB_INTERFACE_NAME': > 'com.redhat.idm.trust', 'ODDJOB_METHOD_NAME': 'fetch_domains', > 'ODDJOB_CALLING_USER': 'ipaapi', 'KRB5_CONFIG': '/etc/krb5.conf', > 'KRB5CCNAME': '/run/ipa/krb5cc_oddjob_trusts_fetch'}) > > > What am I looking at? What am I missing? > Is DNSSEC enabled? See https://access.redhat.com/solutions/2263991 rob
-- John Adams Senior Linux/Middleware Administrator | Information Technology Services +1-501-916-3010 | jxadams@ualr.edu mailto:jxadams@ualr.edu | http://ualr.edu/itservices *UA Little Rock*
Reminder: IT Services will never ask for your password over the phone or in an email. Always be suspicious of requests for personal information that come via email, even from known contacts. For more information or to report suspicious email, visit IT Security http://ualr.edu/itservices/security/.**
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Hi, folks,
So I have established a trust according to both IdM and AD, but I'm getting this when I try the validation step from the documentation:
smbclient -L rhidm1.net.example.com -U <username> --use-kerberos=required
lpcfg_do_global_parameter: WARNING: The "domain logons" option is deprecated
Password for [NET\username]:
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba 4.19.4)
SMB1 disabled -- no workgroup available
The samba service is up and running.
Thanks,
John A
On Wed, Jul 31, 2024 at 5:19 AM Florence Blanc-Renaud flo@redhat.com wrote:
Hi,
The ipa trust-add command expects a domain name, not a server name. Is adtest1.ad.test.example.com a server or a domain?
You can check the DNS requirements in this doc: https://docs.redhat.com/en/documentation/Red_Hat_Enterprise_Linux/9/html/ins...
HTH, flo
On Mon, Jul 29, 2024 at 10:08 PM Rob Crittenden via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
If you don't have DNS configured then this is not a dnssec issue. Creating this file is a no-op without bind configured. Which is fine. It just means it isn't dnssec-related.
rob
Johnnie W Adams via FreeIPA-users wrote:
I'm on RHEL 9 and have no /etc/named.conf file. I have tried creating one, both in /etc and in /etc/named, with the suggested dnssec configuration, but that got me no further.
On Fri, Jul 19, 2024 at 2:36 PM Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Johnnie W Adams wrote: > So I adjusted my command line to point at the entire forest and
not a
> single domain controller, and got both a trust and a much more > interesting error: > > ipa: INFO: Response: { > > "error": { > > "code": 906, > > "data": { > > "error": "Fetching domains from trusted forest
failed. See
> details in the error_log", > > "server": "rhidm1.net.example.com <http://rhidm1.net.example.com> > <http://rhidm1.net.example.com>" > > }, > > "message": "error on server 'rhidm1.net.example.com <http://rhidm1.net.example.com> > <http://rhidm1.net.example.com>': Fetching domains from trusted
forest
> failed. See details in the error_log", > > "name": "ServerCommandError" > > }, > > "id": 0, > > "principal": "admin@NET.EXAMPLE.COM <mailto:admin@NET.EXAMPLE.COM> <mailto:admin@NET.EXAMPLE.COM <mailto:admin@NET.EXAMPLE.COM>>", > > "result": null, > > "version": "4.11.0" > > } > > ipa: ERROR: error on server 'rhidm1.net.example.com <http://rhidm1.net.example.com> > <http://rhidm1.net.example.com>': Fetching domains from trusted
forest
> failed. See details in the error_log > > > From the error_log: > > > [Fri Jul 19 12:31:51.363222 2024] [wsgi:error] [pid 522388:tid
522652]
> [remote <ip address>:39124] ipa: ERROR: Helper fetch_domains was called > for forest ad.test.example.com <http://ad.test.example.com> <http://ad.test.example.com>, return code > is 1 > > [Fri Jul 19 12:31:51.363750 2024] [wsgi:error] [pid 522388:tid
522652]
> [remote <ip address>:39124] ipa: ERROR: Standard output from the helper: > > > <snip> > > > [Fri Jul 19 12:31:51.364596 2024] [wsgi:error] [pid 522388:tid
522652]
> [remote <ip address>:39124] ipa: ERROR: environment:
environ({'LANG':
> 'en_US.UTF-8', 'PATH': > '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin', 'PIDFILE': > '/run/oddjobd.pid', 'INVOCATION_ID': '002ac795667b4ab983ffa100b2f47dd8', > 'JOURNAL_STREAM': '8:36642766', 'SYSTEMD_EXEC_PID': '487987', 'LC_ALL': > 'C.UTF-8', 'ODDJOB_SERVICE_NAME': 'com.redhat.idm.trust', > 'ODDJOB_OBJECT_PATH': '/', 'ODDJOB_INTERFACE_NAME': > 'com.redhat.idm.trust', 'ODDJOB_METHOD_NAME': 'fetch_domains', > 'ODDJOB_CALLING_USER': 'ipaapi', 'KRB5_CONFIG': '/etc/krb5.conf', > 'KRB5CCNAME': '/run/ipa/krb5cc_oddjob_trusts_fetch'}) > > > What am I looking at? What am I missing? > Is DNSSEC enabled? See https://access.redhat.com/solutions/2263991 rob
-- John Adams Senior Linux/Middleware Administrator | Information Technology Services +1-501-916-3010 | jxadams@ualr.edu mailto:jxadams@ualr.edu | http://ualr.edu/itservices *UA Little Rock*
Reminder: IT Services will never ask for your password over the phone or in an email. Always be suspicious of requests for personal information that come via email, even from known contacts. For more information or to report suspicious email, visit IT Security http://ualr.edu/itservices/security/.**
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
freeipa-users@lists.fedorahosted.org