On 5/30/18, 10:59 PM, "Alexander Bokovoy" abokovoy@redhat.com wrote:
On ke, 30 touko 2018, Merritt, Todd R - (tmerritt) wrote: > > >On 5/29/18, 7:59 PM, "Alexander Bokovoy" abokovoy@redhat.com wrote: > > On ti, 29 touko 2018, Merritt, Todd R - (tmerritt) via FreeIPA-users wrote: > >Hi, > > I'm trying to establish a two way trust with an AD > > domain and seem to be running into some issues. I am > > able to establish a one way trust following the guide > > at > > https://www.freeipa.org/page/Active_Directory_trust_setup > > without any issues. When I destroy that trust and try > > to establish a new one with two-way specified to the > > same AD domain it throws what I believe to be a > > misleading error message and the trust is not > > established. > How did you destroy that trust? > > >[root@IPA.DOMAIN /]# ipa trust-add --type=ad AD_DOMAIN --admin AD_ADMIN_USER --password --two-way=true > >Active Directory domain administrator's password: > >ipa: ERROR: AD DC was unable to reach any IPA domain controller. Most likely it is a DNS or firewall issue > > > >I've checked that both the AD DC and the free IPA hosts can resolve the > >service entries and verified that there are no firewall blocks in place > >between these two hosts. I believe the issue is an LDAP permission > >issue of some sort based on the following log snippet > Add 'log level = 100' to /usr/share/ipa/smb.conf.empty and re-try with > 'ipa trust-add'. You'll get additional debug information in httpd's > error_log. Provide that one off-list. > >Thanks, I removed it with trust-del > >[root@IPA.DOMAIN /]# ipa trust-del AD_DOMAIN >------------------------- >Deleted trust "AD_DOMAIN" >------------------------- > >I'll send you a copy of the http error log directly. Thanks. Looking at the error_log, I see two issues:
Validation of trust failed because AD DCs were unable to reach to IPA DCs. This typically means AD DCs unable to discover IPA DCs over DNS SRV records -- they look up using standard Active Directory discovery means, e.g. trying to find out SRV record for _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.$IPA_DOMAIN
Can you show output of 'ipa dns-update-system-records --dry-run'?
netr_LogonControl2Ex: struct netr_LogonControl2Ex out: struct netr_LogonControl2Ex query : * query : union netr_CONTROL_QUERY_INFORMATION(case 2) info2 : * info2: struct netr_NETLOGON_INFO_2 flags : 0x00000080 (128) 0: NETLOGON_REPLICATION_NEEDED 0: NETLOGON_REPLICATION_IN_PROGRESS 0: NETLOGON_FULL_SYNC_REPLICATION 0: NETLOGON_REDO_NEEDED 0: NETLOGON_HAS_IP 0: NETLOGON_HAS_TIMESERV 0: NETLOGON_DNS_UPDATE_FAILURE 1: NETLOGON_VERIFY_STATUS_RETURNED pdc_connection_status : WERR_NO_LOGON_SERVERS trusted_dc_name : * trusted_dc_name : '' tc_connection_status : WERR_NO_LOGON_SERVERS result : WERR_OK
[root@IPA /]# rpm -q ipa-server ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64 [root@IPA /]# ipa dns-update-system-records --dry-run ipa: ERROR: unknown command 'dns-update-system-records'
If I try to manually lookup that domain I get an NXDOMAIN
[root@IPA /]# nslookup -type=srv ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.IPA_DOMAIN Server: 127.0.0.1 Address: 127.0.0.1#53
** server can't find ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.IPA_DOMAIN: NXDOMAIN
-- Thanks, Todd