Florence, thank you. I'll adapt IDM's to have proper mapping when creating
users.
Nothing still explains why AD Trust came back, but I'll just leave as it. It's
working now, and I don't know what happened.
Thank you.
On 24 Aug 2021, at 05:47, Florence Renaud
<flo@redhat.com<mailto:flo@redhat.com>> wrote:
Hi,
1/ The local ID range NIX.VERSATUSHPC.COM.BR_id_range shows that you can have posix ids
created on IdM:
from 1,278,400,000 to 1,278,599,999.
These posix ids can be created either by idm1 or by idm2 server, but you need to make sure
that they don't use the same value if simultaneous user-add/group-add operations are
performed on both servers.
Currently, idm1 can pick any value in the 1,278,400,006-1,278,499,999 range (ids from
1,278,400,000 to 1,278,400,005 are probably already taken by existing users/groups). You
need to find the list of posix ids already used, and adjust idm range starting from this
max value +1. For the end of idm1 range, you can for instance cut the original range in 2,
and have idm1 stop at 1,278,449,999, and idm2 start at 1,278,450,000 and stop at
1,278,499,999 (provided no value inside this range was already attributed).
2/ the ipa trust-fetch-domains output is normal, it returns 0 entry and if any additional
domain is found it is displayed in ipa trustdomain-find.
HTH,
flo
On Fri, Aug 20, 2021 at 11:01 PM Vinícius Ferrão
<ferrao@versatushpc.com.br<mailto:ferrao@versatushpc.com.br>> wrote:
Hi Florence.
On 20 Aug 2021, at 05:29, Florence Renaud
<flo@redhat.com<mailto:flo@redhat.com>> wrote:
Hi,
On Thu, Aug 19, 2021 at 7:09 PM Vinícius Ferrão via FreeIPA-users
<freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>>
wrote:
Hello,
I had to reinstall our IPA server since we had Filesystem corruption beyond repair on
it.
After the reinstall (with ipa-replica-install) AD Trust does not seems to be working
anymore.
I tried to delete the trust and them re add it but there's no effect. Here's the
outputs:
[root@idm1 ~]# ipa-adtrust-install --add-agents
The log file for this installation can be found in
/var/log/ipaserver-adtrust-install.log
==============================================================================
This program will setup components needed to establish trust to AD domains for
the IPA Server.
This includes:
* Configure Samba
* Add trust related objects to IPA LDAP server
To accept the default shown in brackets, press the Enter key.
Configuring cross-realm trusts for IPA server requires password for user
'admin'.
This user is a regular system account used for IPA server administration.
admin password:
IPA generated smb.conf detected.
Overwrite smb.conf? [no]: yes
Do you want to enable support for trusted domains in Schema Compatibility plugin?
This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted
users.
Enable trusted domains support in slapi-nis? [no]: yes
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
Configuring CIFS
[1/24]: validate server hostname
[2/24]: stopping smbd
[3/24]: creating samba domain object
Samba domain object already exists
[4/24]: retrieve local idmap range
[5/24]: writing samba config file
[6/24]: creating samba config registry
[7/24]: adding cifs Kerberos principal
[8/24]: adding cifs and host Kerberos principals to the adtrust agents group
[9/24]: check for cifs services defined on other replicas
[10/24]: adding cifs principal to S4U2Proxy targets
cifs principal already targeted, nothing to do.
[11/24]: adding admin(group) SIDs
Admin SID already set, nothing to do
Admin group SID already set, nothing to do
[12/24]: adding RID bases
RID bases already set, nothing to do
[13/24]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.
[14/24]: activating CLDAP plugin
CLDAP plugin already configured, nothing to do
[15/24]: activating sidgen task
Sidgen task plugin already configured, nothing to do
[16/24]: map BUILTIN\Guests to nobody group
[17/24]: configuring smbd to start on boot
[18/24]: enabling trusted domains support for older clients via Schema Compatibility
plugin
[19/24]: restarting Directory Server to take MS PAC and LDAP plugins changes into
account
[20/24]: adding fallback group
Fallback group already set, nothing to do
[21/24]: adding Default Trust View
Default Trust View already exists.
[22/24]: setting SELinux booleans
[23/24]: starting CIFS services
[24/24]: restarting smbd
Done configuring CIFS.
=============================================================================
Setup complete
You must make sure these network ports are open:
TCP Ports:
* 135: epmap
* 138: netbios-dgm
* 139: netbios-ssn
* 445: microsoft-ds
* 1024..1300: epmap listener range
* 3268: msft-gc
UDP Ports:
* 138: netbios-dgm
* 139: netbios-ssn
* 389: (C)LDAP
* 445: microsoft-ds
See the ipa-adtrust-install(1) man page for more details
=============================================================================
Doing the trust add since the last command didn't added it:
[root@idm1 ~]# ipa trust-add
win.versatushpc.com.br<http://win.versatushpc.com.br/>
Active Directory domain administrator: Administrator
Active Directory domain administrator's password:
---------------------------------------------------------------
Added Active Directory trust for realm
"win.versatushpc.com.br<http://win.versatushpc.com.br/>"
---------------------------------------------------------------
Realm name: win.versatushpc.com.br<http://win.versatushpc.com.br/>
Domain NetBIOS name: VersatusHPC
Domain Security Identifier: S-1-5-21-3644117338-1171143469-618167831
Trust direction: Trusting forest
Trust type: Active Directory domain
Trust status: Established and verified
Fetch domains return 0:
[root@idm1 ~]# ipa trust-fetch-domains
win.versatushpc.com.br<http://win.versatushpc.com.br/>
----------------------------------------------------------------------------------------
List of trust domains successfully refreshed. Use trustdomain-find command to list them.
----------------------------------------------------------------------------------------
----------------------------
Number of entries returned 0
----------------------------
But trustdomain-find is able to find the domain:
[root@idm1 ~]# ipa trustdomain-find
Realm name: win.versatushpc.com.br<http://win.versatushpc.com.br/>
Domain name: win.versatushpc.com.br<http://win.versatushpc.com.br/>
Domain NetBIOS name: VersatusHPC
Domain Security Identifier: S-1-5-21-3644117338-1171143469-618167831
Domain enabled: True
----------------------------
Number of entries returned 1
----------------------------
Healthcheck complains about those issues:
[root@idm1 ~]# ipa-healthcheck --all --output-type human | grep -v SUCCESS
WARNING:
ipahealthcheck.ipa.trust.IPATrustCatalogCheck.S-1-5-21-3644117338-1171143469-618167831:
Look up of S-1-5-21-3644117338-1171143469-618167831 returned nothing
ERROR:
ipahealthcheck.ipa.trust.IPATrustCatalogCheck.AD<http://ipahealthcheck.ipa.trust.ipatrustcatalogcheck.ad/>
Global Catalog: AD Global Catalog not found in /usr/sbin/sssctl 'domain-status'
output: Active servers:
IPA: idm1.nix.versatushpc.com.br<http://idm1.nix.versatushpc.com.br/>
ERROR:
ipahealthcheck.ipa.trust.IPATrustCatalogCheck.AD<http://ipahealthcheck.ipa.trust.ipatrustcatalogcheck.ad/>
Domain Controller: AD Domain Controller not found in /usr/sbin/sssctl
'domain-status' output: Active servers:
IPA: idm1.nix.versatushpc.com.br<http://idm1.nix.versatushpc.com.br/>
Can you show the output of " ipa idrange-find" ?
There you go:
[root@idm1 ~]# ipa idrange-find
----------------
2 ranges matched
----------------
Range name: NIX.VERSATUSHPC.COM<http://NIX.VERSATUSHPC.COM>.BR_id_range
First Posix ID of the range: 1278400000
Number of IDs in the range: 200000
First RID of the corresponding RID range: 1000
First RID of the secondary RID range: 100000000
Range type: local domain range
Range name: WIN.VERSATUSHPC.COM<http://WIN.VERSATUSHPC.COM>.BR_id_range
First Posix ID of the range: 1499400000
Number of IDs in the range: 200000
First RID of the corresponding RID range: 0
Domain SID of the trusted domain: S-1-5-21-3644117338-1171143469-618167831
Range type: Active Directory domain range
----------------------------
Number of entries returned 2
----------------------------
And finally we had an DNA Range issue, but I was able to solve it with this guide:
https://rcritten.wordpress.com/2015/01/05/freeipa-and-no-dna-range/
[root@idm2 ~]# ipa-replica-manage dnarange-show
idm1.nix.versatushpc.com.br<http://idm1.nix.versatushpc.com.br/>:
1278400006-1278499999
idm2.nix.versatushpc.com.br<http://idm2.nix.versatushpc.com.br/>:
1278400000-1278499999
The ranges are overlapping, this should be fixed. The range for idm2 should end before the
beginning of idm1 range.
Alright, which is the good advice to do this? Split the range in two segments? Or just add
more 99999 registries?
PS: Regarding the issue, it's now working the AD Trust. What I've done? Nothing.
Gone to bed without it working and today is working. ??????????????????????????
Thanks.
flo
Seems to be OK, I think...
I'm running IPA on RHEL 8.4.
If it's easier to just remove IPA and reinstall from scratch, that's OK. This is a
development system, the same goes for the Windows domain.
Thank you all.
_______________________________________________
FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org<mailto:freeipa-users-leave@lists.fedorahosted.org>
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure