Hello everyone. I hoped I could ask for a little assistance on an AD / IPA Trust.
I've for a Windows 2008R2 domain. Response Type: LOGON_SAM_LOGON_RESPONSE_EX GUID: e**********************6497 Flags: Is a PDC: no Is a GC of the forest: yes Is an LDAP server: yes Supports DS: yes Is running a KDC: yes Is running time services: yes Is the closest DC: yes Is writable: yes Has a hardware clock: no Is a non-domain NC serviced by LDAP server: no Is NT6 DC that has some secrets: no Is NT6 DC that has all secrets: yes Runs Active Directory Web Services: yes Runs on Windows 2012 or later: no Forest: example.local Domain: example.local Domain Controller: CSAD1.example.local Pre-Win2k Domain: example Pre-Win2k Hostname: CSAD1 Server Site Name : Site1 Client Site Name : Site1 NT Version: 5 LMNT Token: ffff LM20 Token: ffff
----------------- IPA ipa-server-4.4.0-14.el7
Domain = lci.example.com ------------------
I start the process and DNS lookups are working.
[root@ipa-001 samba]# !872 dig SRV _ldap._tcp.example.local
; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.3 <<>> SRV _ldap._tcp.example.local ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45828 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 5
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;_ldap._tcp.example.local. IN SRV
;; ANSWER SECTION: _ldap._tcp.example.local. 600 IN SRV 0 100 389 ac-ad4.example.local. _ldap._tcp.example.local. 600 IN SRV 0 100 389 csad2.example.local. _ldap._tcp.example.local. 600 IN SRV 0 100 389 csad1.example.local. _ldap._tcp.example.local. 600 IN SRV 0 100 389 ac-ad3.example.local.
;; ADDITIONAL SECTION: csad1.example.local. 3196 IN A 192.168.2.1 ac-ad4.example.local. 3196 IN A 192.168.2.4 ac-ad3.example.local. 3196 IN A 192.168.2.3 csad2.example.local. 3196 IN A 192.168.2.2
;; Query time: 1 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Jun 09 19:50:34 UTC 2017 ;; MSG SIZE rcvd: 290
[root@ipa-001 samba]# dig SRV _ldap._tcp.lci.example.local
; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.3 <<>> SRV _ldap._tcp.lci.example.local ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64288 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;_ldap._tcp.lci.example.local. IN SRV
;; ANSWER SECTION: _ldap._tcp.lci.example.local. 86400 IN CNAME _ldap._tcp.atl._locations.lci. example.local. _ldap._tcp.atl._locations.lci.example.local. 86400 IN SRV 0 5 389 ipa-001.lci.example.local. _ldap._tcp.atl._locations.lci.example.local. 86400 IN SRV 0 10 389 ipa-002.lci.example.local.
;; AUTHORITY SECTION: lci.example.local. 86400 IN NS ipa-002.lci.example.local. lci.example.local. 86400 IN NS ipa-001.lci.example.local.
;; ADDITIONAL SECTION: ipa-001.lci.example.local. 1200 IN A 192.168.1.11 ipa-002.lci.example.local. 1200 IN A 192.168.1.12
;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Jun 09 19:50:40 UTC 2017 ;; MSG SIZE rcvd: 272
[root@ipa-001 samba]# --------------
My bound `ldapsearch` and `kinit` on both domains domain work well.
As I move onto testing the `trust-fetch-domains` area things go bad ( well start to show they are ). -------------- [root@ipa-001 samba]# ipa trust-fetch-domains example.local ------------------------------------------------------------ ---------------------------- List of trust domains successfully refreshed. Use trustdomain-find command to list them. ------------------------------------------------------------ ---------------------------- ---------------------------- Number of entries returned 0 ----------------------------
[root@ipa-001 samba]# ipa trustdomain-find example.LOCAL Domain name: example.local Domain NetBIOS name: example Domain Security Identifier: S-1-5-21-******-857828577-140568808 Domain enabled: True ---------------------------- Number of entries returned 1 ----------------------------
Of course any movement from there on fails. Using other posts I bumped up the logging and pulled out items that I believe assist in this matter. ---------- log.winbindd-dc-connect: check_negative_conn_cache returning result 0 for domain example.local server 192.168.2.3 log.winbindd-dc-connect: check_negative_conn_cache returning result -1073741823 for domain example.local server 192.168.2.2 log.winbindd-dc-connect: check_negative_conn_cache returning result -1073741823 for domain example.local server 192.168.2.4 log.winbindd-dc-connect: get_sorted_dc_list: attempting lookup for name example.local (sitename NULL) log.winbindd-dc-connect: saf_fetch: failed to find server for "example.local" domain log.winbindd-dc-connect: internal_resolve_name: looking up example.local#1c (sitename (null)) log.winbindd-dc-connect: name example.local#1C found. log.winbindd-dc-connect: check_negative_conn_cache returning result -1073741823 for domain example.local server 192.168.2.1 log.winbindd-dc-connect: Adding cache entry with key=[NEG_CONN_CACHE/example.local,192.168.2.3] and timeout=[Thu Jan 1 12:00:00 AM 1970 UTC] (-1497038264 seconds in the past) log.winbindd-dc-connect: check_negative_conn_cache returning result 0 for domain example.local server 192.168.2.3 log.winbindd-dc-connect: check_negative_conn_cache returning result -1073741823 for domain example.local server 192.168.2.2 log.winbindd-dc-connect: check_negative_conn_cache returning result -1073741823 for domain example.local server 192.168.2.4 log.winbindd-dc-connect: get_sorted_dc_list: attempting lookup for name example.local (sitename NULL) log.winbindd-dc-connect: saf_fetch: failed to find server for "example.local" domain log.winbindd-dc-connect: internal_resolve_name: looking up example.local#1c (sitename (null)) log.winbindd-dc-connect: name example.local#1C found. log.winbindd-dc-connect: check_negative_conn_cache returning result -1073741823 for domain example.local server 192.168.2.1 log.winbindd-dc-connect: Adding cache entry with key=[NEG_CONN_CACHE/example.local,192.168.2.3] and timeout=[Thu Jan 1 12:00:00 AM 1970 UTC] (-1497038340 seconds in the past) log.winbindd-dc-connect: check_negative_conn_cache returning result 0 for domain example.local server 192.168.2.3 log.winbindd-dc-connect: check_negative_conn_cache returning result -1073741823 for domain example.local server 192.168.2.2 log.winbindd-dc-connect: check_negative_conn_cache returning result -1073741823 for domain example.local server 192.168.2.4 log.winbindd-idmap: pdb_init_ipasam: support for pdb_enum_upn_suffixes enabled for domain lci.example.local ------------------- I see in the logs the timeouts however I thought they appeared to conflict with the ability to `net ads lookup`.
Any assistance on this would be appreciated a great deal. Thank you so much for your time and looking at this.
freeipa-users@lists.fedorahosted.org