hi guys I'm trying to add a trust to AD, I do DNS regural(as per Win Integration Guide) and all seems good, but it fails with error as per the subject.
With regards to DNS, only thing on the odd side (guide mentions this record) is missing _kerberos._udp.dc._msdcs.ad.example.com Would this be a problem.
I also use --server to trust-add but it fails the same.
How to troubleshoot it? ipa -v also does not reveal more. Process asks:
Active Directory domain administrator's password:
and the fails immediately. many thanks, L.
On Thu, Mar 08, 2018 at 01:39:58PM +0000, lejeczek via FreeIPA-users wrote:
hi guys I'm trying to add a trust to AD, I do DNS regural(as per Win Integration Guide) and all seems good, but it fails with error as per the subject.
With regards to DNS, only thing on the odd side (guide mentions this record) is missing _kerberos._udp.dc._msdcs.ad.example.com Would this be a problem.
As long as _kerberos._udp.ad.example.com and _kerberos._tcp.ad.example.com exists there should be no problem.
I also use --server to trust-add but it fails the same.
How to troubleshoot it? ipa -v also does not reveal more.
Did you, by chance edit /etc/resolv.conf to make the AD domain available for DNS? If yes, did you restart httpd after that?
If this does not help please add
[global] log level = 100
to /usr/share/ipa/smb.conf.empty as described on https://www.freeipa.org/page/Active_Directory_trust_setup#Debugging_trust.
HTH
bye, Sumit
Process asks:
Active Directory domain administrator's password:
and the fails immediately. many thanks, L. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
On 08/03/18 20:10, Sumit Bose via FreeIPA-users wrote:
On Thu, Mar 08, 2018 at 01:39:58PM +0000, lejeczek via FreeIPA-users wrote:
hi guys I'm trying to add a trust to AD, I do DNS regural(as per Win Integration Guide) and all seems good, but it fails with error as per the subject.
With regards to DNS, only thing on the odd side (guide mentions this record) is missing _kerberos._udp.dc._msdcs.ad.example.com Would this be a problem.
As long as _kerberos._udp.ad.example.com and _kerberos._tcp.ad.example.com exists there should be no problem.
Yes both those records resolve okey. Only in _msdcs I can see DNS(from DC promo installer) has no UDP records. Also, should there be TXT record for AD's _kerberos? Because I cannot see there is one.
I also use --server to trust-add but it fails the same.
How to troubleshoot it? ipa -v also does not reveal more.
Did you, by chance edit /etc/resolv.conf to make the AD domain available for DNS? If yes, did you restart httpd after that?
If this does not help please add
[global] log level = 100to /usr/share/ipa/smb.conf.empty as described on https://www.freeipa.org/page/Active_Directory_trust_setup#Debugging_trust.
HTH
bye, Sumit
It's all bit "weird" to me. This problem started after I manually in AD DC(Win 2012), successfully, created one-way trust, then removed the trust both in AD & IPA, and now re-adding the same trust fails, along with this problem.
On IPAs resolver looks up only 127.0.0.1 and searches for ipa.private.ad.dom.local (which is IPA dom). AD domain is ad.dom.local, in its DNS there is domain: "private" and in it a subdomain "ipa" which delegates to IPA's DNS. IPA's DNS forwards zone ad.dom.local to AD DC's IP. (again, this setup worked first (few) time.
Which of samba's logs should I pay particular interest? There is quite a few and full of content.
Here is http's log at the time of trust-add execution, if it can (hopefully) reveal some more: ... ... [Fri Mar 09 10:30:06.420124 2018] [:warn] [pid 2094] [client 10.5.10.56:49300] failed to set perms (3140) on file (/var/run/ipa/ccaches/admin@PRIVATE.xx.xx.PRIVATE.xx.xx.x)!, referer: https://work2.priv.xx.xx.priv.xx.xx.x/ipa/xml [Fri Mar 09 10:30:06.468226 2018] [:error] [pid 2092] ipa: INFO: [jsonserver_session] admin@PRIVATE.xx.xx.PRIVATE.xx.xx.x: ping(): SUCCESS [Fri Mar 09 10:30:09.248327 2018] [:warn] [pid 2094] [client 10.5.10.56:49300] failed to set perms (3140) on file (/var/run/ipa/ccaches/admin@PRIVATE.xx.xx.PRIVATE.xx.xx.x)!, referer: https://work2.priv.xx.xx.priv.xx.xx.x/ipa/xml lpcfg_load: refreshing parameters from /usr/share/ipa/smb.conf.empty Processing section "[global]" INFO: Current debug levels: all: 100 tdb: 100 printdrivers: 100 lanman: 100 smb: 100 rpc_parse: 100 rpc_srv: 100 rpc_cli: 100 passdb: 100 sam: 100 auth: 100 winbind: 100 vfs: 100 idmap: 100 quota: 100 acls: 100 locking: 100 msdfs: 100 dmapi: 100 registry: 100 scavenger: 100 dns: 100 ldb: 100 tevent: 100 pm_process() returned Yes Using binding ncacn_np:work2.priv.xx.xx.priv.xx.xx.x[,print,smb2] s4_tevent: Added timed event "dcerpc_connect_timeout_handler": 0x7efe4cb2e920 s4_tevent: Added timed event "composite_trigger": 0x7efe4ca5b910 s4_tevent: Added timed event "composite_trigger": 0x7efe4cb65b20 s4_tevent: Running timer event 0x7efe4ca5b910 "composite_trigger" s4_tevent: Destroying timer event 0x7efe4cb65b20 "composite_trigger" Mapped to DCERPC endpoint \pipe\lsarpc added interface eth0 ip=10.5.10.56 bcast=10.5.10.63 netmask=255.255.255.240 added interface eth0 ip=10.5.10.56 bcast=10.5.10.63 netmask=255.255.255.240 resolve_lmhosts: Attempting lmhosts lookup for name work2.priv.xx.xx.priv.xx.xx.x<0x20> getlmhostsent: lmhost entry: 127.0.0.1 localhost s4_tevent: Added timed event "composite_trigger": 0x7efe4cb75c60 s4_tevent: Ending timer event 0x7efe4ca5b910 "composite_trigger" s4_tevent: Running timer event 0x7efe4cb75c60 "composite_trigger" s4_tevent: Ending timer event 0x7efe4cb75c60 "composite_trigger" s4_tevent: Added timed event "connect_multi_timer": 0x7efe4c91d630 s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7efe4c984840 s4_tevent: Run immediate event "tevent_req_trigger": 0x7efe4c984840 s4_tevent: Destroying timer event 0x7efe4c91d630 "connect_multi_timer" Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 0 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_REUSEPORT = 0 SO_SNDBUF = 2626560 SO_RCVBUF = 1061296 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 TCP_DEFER_ACCEPT = 0 s4_tevent: Added timed event "tevent_req_timedout": 0x7efe4cb7af10 s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7efe4cb79380 s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7efe4cb79380 s4_tevent: Destroying timer event 0x7efe4cb7af10 "tevent_req_timedout" s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7efe4c9c2bb0 s4_tevent: Run immediate event "tevent_req_trigger": 0x7efe4c9c2bb0 Starting GENSEC mechanism spnego Starting GENSEC submechanism gssapi_krb5 Ticket in credentials cache for admin@PRIVATE.xx.xx.PRIVATE.xx.xx.x will expire in 0 secs s4_tevent: Added timed event "tevent_req_timedout": 0x7efe4c992420 s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7efe4cb79380 s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7efe4cb79380 s4_tevent: Destroying timer event 0x7efe4c992420 "tevent_req_timedout" s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7efe4c9c2bb0 s4_tevent: Run immediate event "tevent_req_trigger": 0x7efe4c9c2bb0 gensec_gssapi: NO credentials were delegated GSSAPI Connection will be cryptographically sealed s4_tevent: Added timed event "tevent_req_timedout": 0x7efe4ca7a930 signed SMB2 message s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7efe4cb79380 s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7efe4cb79380 s4_tevent: Destroying timer event 0x7efe4ca7a930 "tevent_req_timedout" s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7efe4c9c2bb0 s4_tevent: Run immediate event "tevent_req_trigger": 0x7efe4c9c2bb0 s4_tevent: Added timed event "tevent_req_timedout": 0x7efe4c92e0a0 signed SMB2 message s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7efe4cb79380 s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7efe4cb79380 s4_tevent: Destroying timer event 0x7efe4c92e0a0 "tevent_req_timedout" s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7efe4c9c2bb0 s4_tevent: Run immediate event "tevent_req_trigger": 0x7efe4c9c2bb0 s4_tevent: Destroying timer event 0x7efe4cb2e920 "dcerpc_connect_timeout_handler" [Fri Mar 09 10:30:09.512166 2018] [:error] [pid 2091] ipa: INFO: [jsonserver_session] admin@PRIVATE.xx.xx.PRIVATE.xx.xx.x: trust_add/1(u'xx.priv.xx.xx.x', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', bidirectional=True, all=True, version=u'2.228'): NotFound
Process asks:
Active Directory domain administrator's password:
and the fails immediately. many thanks, L. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
On 08/03/18 13:39, lejeczek via FreeIPA-users wrote:
hi guys I'm trying to add a trust to AD, I do DNS regural(as per Win Integration Guide) and all seems good, but it fails with error as per the subject.
With regards to DNS, only thing on the odd side (guide mentions this record) is missing _kerberos._udp.dc._msdcs.ad.example.com Would this be a problem.
I also use --server to trust-add but it fails the same.
How to troubleshoot it? ipa -v also does not reveal more. Process asks:
Active Directory domain administrator's password:
and the fails immediately. many thanks, L. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
anybody, guys?
it's strange for I reboot win server and once it complains about "..RPC connection to the Active Directory Domain controller ipa1.." after the reboot it would complain about ".. ipa2....". And certainly both ipa hosts are dns resolvable and up & running and seem okey.
On pe, 16 maalis 2018, lejeczek via FreeIPA-users wrote:
On 08/03/18 13:39, lejeczek via FreeIPA-users wrote:
hi guys I'm trying to add a trust to AD, I do DNS regural(as per Win Integration Guide) and all seems good, but it fails with error as per the subject.
With regards to DNS, only thing on the odd side (guide mentions this record) is missing _kerberos._udp.dc._msdcs.ad.example.com Would this be a problem.
I also use --server to trust-add but it fails the same.
How to troubleshoot it? ipa -v also does not reveal more. Process asks:
Active Directory domain administrator's password:
and the fails immediately. many thanks, L.
anybody, guys?
it's strange for I reboot win server and once it complains about "..RPC connection to the Active Directory Domain controller ipa1.." after the reboot it would complain about ".. ipa2....". And certainly both ipa hosts are dns resolvable and up & running and seem okey.
We aren't implementing full AD functionality in FreeIPA. Thus, certain flows aren't accessible from AD side. This is why we do not run trust validation from AD DC side but rather trigger it via RPC calls from IPA side when trust is established. This, however, only possible when you are using admin credentials, not shared secret.
So what you see is expected.
On 16/03/18 11:33, Alexander Bokovoy wrote:
On pe, 16 maalis 2018, lejeczek via FreeIPA-users wrote:
On 08/03/18 13:39, lejeczek via FreeIPA-users wrote:
hi guys I'm trying to add a trust to AD, I do DNS regural(as per Win Integration Guide) and all seems good, but it fails with error as per the subject.
With regards to DNS, only thing on the odd side (guide mentions this record) is missing _kerberos._udp.dc._msdcs.ad.example.com Would this be a problem.
I also use --server to trust-add but it fails the same.
How to troubleshoot it? ipa -v also does not reveal more. Process asks:
Active Directory domain administrator's password:
and the fails immediately. many thanks, L.
anybody, guys?
it's strange for I reboot win server and once it complains about "..RPC connection to the Active Directory Domain controller ipa1.." after the reboot it would complain about ".. ipa2....". And certainly both ipa hosts are dns resolvable and up & running and seem okey.
We aren't implementing full AD functionality in FreeIPA. Thus, certain flows aren't accessible from AD side. This is why we do not run trust validation from AD DC side but rather trigger it via RPC calls from IPA side when trust is established. This, however, only possible when you are using admin credentials, not shared secret.
So what you see is expected.
yes, but this was just to see what AD's end does/sess. As per the subject, and as I said earlier, original problem is:
$ ipa trust-add --all eb.private.dom --admin=Administrator --password Active Directory domain administrator's password: ipa: ERROR: Cannot find specified domain or server name
$ ipa -vv trust-add --all --two-way=1 --type=ad eb.private.dom --admin=Administrator --password --server=work7.eb.private.dom .. ipa: ERROR: Cannot find specified domain or server name
$ realm discover eb.private.dom eb.private.dom type: kerberos realm-name: EB.PRIVATE.DOM domain-name: eb.private.dom configured: no server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common-tools
I had trust working, initially with password, then I did trust-del and I manually created shared-key trust on AD, which also worked okey. I kept fiddling with del/add and soon, after a few such moves I hit this problem. I feel like this might be reproducible (all boxes are qemu-kvm), feels like after just a few(successful) del/add something brakes. I increased logs verbosity as per sbose's advice but cannot find in those logs anything.
m. thanks, L.
On pe, 16 maalis 2018, lejeczek wrote:
On 16/03/18 11:33, Alexander Bokovoy wrote:
On pe, 16 maalis 2018, lejeczek via FreeIPA-users wrote:
On 08/03/18 13:39, lejeczek via FreeIPA-users wrote:
hi guys I'm trying to add a trust to AD, I do DNS regural(as per Win Integration Guide) and all seems good, but it fails with error as per the subject.
With regards to DNS, only thing on the odd side (guide mentions this record) is missing _kerberos._udp.dc._msdcs.ad.example.com Would this be a problem.
I also use --server to trust-add but it fails the same.
How to troubleshoot it? ipa -v also does not reveal more. Process asks:
Active Directory domain administrator's password:
and the fails immediately. many thanks, L.
anybody, guys?
it's strange for I reboot win server and once it complains about "..RPC connection to the Active Directory Domain controller ipa1.." after the reboot it would complain about ".. ipa2....". And certainly both ipa hosts are dns resolvable and up & running and seem okey.
We aren't implementing full AD functionality in FreeIPA. Thus, certain flows aren't accessible from AD side. This is why we do not run trust validation from AD DC side but rather trigger it via RPC calls from IPA side when trust is established. This, however, only possible when you are using admin credentials, not shared secret.
So what you see is expected.
yes, but this was just to see what AD's end does/sess. As per the subject, and as I said earlier, original problem is:
$ ipa trust-add --all eb.private.dom --admin=Administrator --password Active Directory domain administrator's password: ipa: ERROR: Cannot find specified domain or server name
$ ipa -vv trust-add --all --two-way=1 --type=ad eb.private.dom --admin=Administrator --password --server=work7.eb.private.dom .. ipa: ERROR: Cannot find specified domain or server name
This is IPA not being able to find the AD server/domain.
You need to add 'log level = 50' to /usr/share/ipa/smb.conf.empty and re-run 'ipa trust-add'. The logs will be part of /var/log/httpd/error_log.
I had trust working, initially with password, then I did trust-del and I manually created shared-key trust on AD, which also worked okey. I kept fiddling with del/add and soon, after a few such moves I hit this problem. I feel like this might be reproducible (all boxes are qemu-kvm), feels like after just a few(successful) del/add something brakes. I increased logs verbosity as per sbose's advice but cannot find in those logs anything.
? If you enabled 'log level = 50' in /usr/share/ipa/smb.conf.empty, you'll see plenty of logs in error_log.
On 16/03/18 13:12, Alexander Bokovoy wrote:
On pe, 16 maalis 2018, lejeczek wrote:
On 16/03/18 11:33, Alexander Bokovoy wrote:
On pe, 16 maalis 2018, lejeczek via FreeIPA-users wrote:
On 08/03/18 13:39, lejeczek via FreeIPA-users wrote:
hi guys I'm trying to add a trust to AD, I do DNS regural(as per Win Integration Guide) and all seems good, but it fails with error as per the subject.
With regards to DNS, only thing on the odd side (guide mentions this record) is missing _kerberos._udp.dc._msdcs.ad.example.com Would this be a problem.
I also use --server to trust-add but it fails the same.
How to troubleshoot it? ipa -v also does not reveal more. Process asks:
Active Directory domain administrator's password:
and the fails immediately. many thanks, L.
anybody, guys?
it's strange for I reboot win server and once it complains about "..RPC connection to the Active Directory Domain controller ipa1.." after the reboot it would complain about ".. ipa2....". And certainly both ipa hosts are dns resolvable and up & running and seem okey.
We aren't implementing full AD functionality in FreeIPA. Thus, certain flows aren't accessible from AD side. This is why we do not run trust validation from AD DC side but rather trigger it via RPC calls from IPA side when trust is established. This, however, only possible when you are using admin credentials, not shared secret.
So what you see is expected.
yes, but this was just to see what AD's end does/sess. As per the subject, and as I said earlier, original problem is:
$ ipa trust-add --all eb.private.dom --admin=Administrator --password Active Directory domain administrator's password: ipa: ERROR: Cannot find specified domain or server name
$ ipa -vv trust-add --all --two-way=1 --type=ad eb.private.dom --admin=Administrator --password --server=work7.eb.private.dom .. ipa: ERROR: Cannot find specified domain or server name
This is IPA not being able to find the AD server/domain.
You need to add 'log level = 50' to /usr/share/ipa/smb.conf.empty and re-run 'ipa trust-add'. The logs will be part of /var/log/httpd/error_log.
I used = 100 as per sbose's advice, and the the part of the error_log I attached a few messages earlier(under this thread). Can you see it?
I had trust working, initially with password, then I did trust-del and I manually created shared-key trust on AD, which also worked okey. I kept fiddling with del/add and soon, after a few such moves I hit this problem. I feel like this might be reproducible (all boxes are qemu-kvm), feels like after just a few(successful) del/add something brakes. I increased logs verbosity as per sbose's advice but cannot find in those logs anything.
? If you enabled 'log level = 50' in /usr/share/ipa/smb.conf.empty, you'll see plenty of logs in error_log.
On pe, 16 maalis 2018, lejeczek wrote:
On 16/03/18 13:12, Alexander Bokovoy wrote:
On pe, 16 maalis 2018, lejeczek wrote:
On 16/03/18 11:33, Alexander Bokovoy wrote:
On pe, 16 maalis 2018, lejeczek via FreeIPA-users wrote:
On 08/03/18 13:39, lejeczek via FreeIPA-users wrote:
hi guys I'm trying to add a trust to AD, I do DNS regural(as per Win Integration Guide) and all seems good, but it fails with error as per the subject.
With regards to DNS, only thing on the odd side (guide mentions this record) is missing _kerberos._udp.dc._msdcs.ad.example.com Would this be a problem.
I also use --server to trust-add but it fails the same.
How to troubleshoot it? ipa -v also does not reveal more. Process asks:
Active Directory domain administrator's password:
and the fails immediately. many thanks, L.
anybody, guys?
it's strange for I reboot win server and once it complains about "..RPC connection to the Active Directory Domain controller ipa1.." after the reboot it would complain about ".. ipa2....". And certainly both ipa hosts are dns resolvable and up & running and seem okey.
We aren't implementing full AD functionality in FreeIPA. Thus, certain flows aren't accessible from AD side. This is why we do not run trust validation from AD DC side but rather trigger it via RPC calls from IPA side when trust is established. This, however, only possible when you are using admin credentials, not shared secret.
So what you see is expected.
yes, but this was just to see what AD's end does/sess. As per the subject, and as I said earlier, original problem is:
$ ipa trust-add --all eb.private.dom --admin=Administrator --password Active Directory domain administrator's password: ipa: ERROR: Cannot find specified domain or server name
$ ipa -vv trust-add --all --two-way=1 --type=ad eb.private.dom --admin=Administrator --password --server=work7.eb.private.dom .. ipa: ERROR: Cannot find specified domain or server name
This is IPA not being able to find the AD server/domain.
You need to add 'log level = 50' to /usr/share/ipa/smb.conf.empty and re-run 'ipa trust-add'. The logs will be part of /var/log/httpd/error_log.
I used = 100 as per sbose's advice, and the the part of the error_log I attached a few messages earlier(under this thread). Can you see it?
Yes, and it is edited to the level of being unreadable. Can you share unedited version in private, including your DNS setup?
The reason I'm asking is because you have very inconsistent DNS name edits, they make impossible to understand what is your real DNS arrangement.
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
lejeczek -
Sumit Bose