Hi, I'm trying to establish a two way trust with an AD domain and seem to be running into some issues. I am able to establish a one way trust following the guide at https://www.freeipa.org/page/Active_Directory_trust_setup without any issues. When I destroy that trust and try to establish a new one with two-way specified to the same AD domain it throws what I believe to be a misleading error message and the trust is not established.
[root@IPA.DOMAIN /]# ipa trust-add --type=ad AD_DOMAIN --admin AD_ADMIN_USER --password --two-way=true Active Directory domain administrator's password: ipa: ERROR: AD DC was unable to reach any IPA domain controller. Most likely it is a DNS or firewall issue
I've checked that both the AD DC and the free IPA hosts can resolve the service entries and verified that there are no firewall blocks in place between these two hosts. I believe the issue is an LDAP permission issue of some sort based on the following log snippet
[29/May/2018:16:59:07 +0000] conn=1227 op=25 ADD dn="krbPrincipalName=krbtgt/AD_DOMAIN@IPA.DOMAIN,cn=AD_DOMAIN,cn=ad,cn=trusts,dc=arizona,dc=cui" [29/May/2018:16:59:07 +0000] conn=1227 op=25 RESULT err=0 tag=105 nentries=0 etime=0 csn=5b0d876e000c00040000 [29/May/2018:16:59:07 +0000] conn=1227 op=26 EXT oid="2.16.840.1.113730.3.8.10.1" name="Keytab Retrieval Extended Operation" [29/May/2018:16:59:07 +0000] conn=1227 op=26 RESULT err=0 tag=120 nentries=0 etime=0 [29/May/2018:16:59:07 +0000] conn=1227 op=27 SRCH base="cn=ad,cn=trusts,dc=IPA,dc=DOMAIN" scope=2 filter="(&(objectClass=ipaNTTrustedDomain)(|(ipaNTFlatName=AD_DOMAIN)(ipaNTTrustPartner=AD_DOMAIN)(cn=AD_DOMAIN)))" attrs=ALL [29/May/2018:16:59:07 +0000] conn=1227 op=27 RESULT err=0 tag=101 nentries=1 etime=0 [29/May/2018:16:59:07 +0000] conn=1227 op=28 SRCH base="cn=ad,cn=trusts,dc=IPA,dc=DOMAIN" scope=2 filter="(&(objectClass=ipaNTTrustedDomain)(ipaNTTrustedDomainSID=S-1-5-21-3264147221-199175665-3033697611))" attrs=ALL [29/May/2018:16:59:07 +0000] conn=1227 op=28 RESULT err=0 tag=101 nentries=1 etime=0 [29/May/2018:16:59:07 +0000] conn=1227 op=29 SRCH base="cn=ad,cn=trusts,dc=IPA,dc=DOMAIN" scope=2 filter="(&(objectClass=ipaNTTrustedDomain)(|(ipaNTFlatName=AD_DOMAIN)(ipaNTTrustPartner=AD_DOMAIN)(cn=AD_DOMAIN)))" attrs=ALL [29/May/2018:16:59:07 +0000] conn=1227 op=29 RESULT err=0 tag=101 nentries=1 etime=0 [29/May/2018:16:59:07 +0000] conn=1227 op=30 MOD dn="cn=AD_DOMAIN,cn=ad,cn=trusts,dc=IPA,dc=DOMAIN" [29/May/2018:16:59:07 +0000] conn=1227 op=30 RESULT err=50 tag=103 nentries=0 etime=0 csn=5b0d876e000f00040000 [29/May/2018:16:59:07 +0000] conn=1227 op=31 SRCH base="cn=ad,cn=trusts,dc=IPA,dc=DOMAIN" scope=2 filter="(&(objectClass=ipaNTTrustedDomain)(ipaNTTrustedDomainSID=S-1-5-21-3264147221-199175665-3033697611))" attrs=ALL [29/May/2018:16:59:07 +0000] conn=1227 op=31 RESULT err=0 tag=101 nentries=1 etime=0 [29/May/2018:16:59:07 +0000] conn=1227 op=32 SRCH base="cn=ad,cn=trusts,dc=IPA,dc=DOMAIN" scope=2 filter="(&(objectClass=ipaNTTrustedDomain)(ipaNTTrustedDomainSID=S-1-5-21-3264147221-199175665-3033697611))" attrs=ALL [29/May/2018:16:59:07 +0000] conn=1227 op=32 RESULT err=0 tag=101 nentries=1 etime=0 [29/May/2018:16:59:07 +0000] conn=1227 op=33 SRCH base="cn=ad,cn=trusts,dc=IPA,dc=DOMAIN" scope=2 filter="(&(objectClass=ipaNTTrustedDomain)(|(ipaNTFlatName=AD_DOMAIN)(ipaNTTrustPartner=AD_DOMAIN)(cn=AD_DOMAIN)))" attrs=ALL [29/May/2018:16:59:07 +0000] conn=1227 op=33 RESULT err=0 tag=101 nentries=1 etime=0 [29/May/2018:16:59:07 +0000] conn=1227 op=34 MOD dn="cn=AD_DOMAIN,cn=ad,cn=trusts,dc=IPA,dc=DOMAIN" [29/May/2018:16:59:07 +0000] conn=1227 op=34 RESULT err=50 tag=103 nentries=0 etime=0 csn=5b0d876e001000040000
I have run kinit prior to issuing the trust-add in both the two-way and one-way setup commands.
Any thoughts where I should go from here?
Thanks, Todd
On ti, 29 touko 2018, Merritt, Todd R - (tmerritt) via FreeIPA-users wrote:
Hi, I'm trying to establish a two way trust with an AD domain and seem to be running into some issues. I am able to establish a one way trust following the guide at https://www.freeipa.org/page/Active_Directory_trust_setup without any issues. When I destroy that trust and try to establish a new one with two-way specified to the same AD domain it throws what I believe to be a misleading error message and the trust is not established.
How did you destroy that trust?
[root@IPA.DOMAIN /]# ipa trust-add --type=ad AD_DOMAIN --admin AD_ADMIN_USER --password --two-way=true Active Directory domain administrator's password: ipa: ERROR: AD DC was unable to reach any IPA domain controller. Most likely it is a DNS or firewall issue
I've checked that both the AD DC and the free IPA hosts can resolve the service entries and verified that there are no firewall blocks in place between these two hosts. I believe the issue is an LDAP permission issue of some sort based on the following log snippet
Add 'log level = 100' to /usr/share/ipa/smb.conf.empty and re-try with 'ipa trust-add'. You'll get additional debug information in httpd's error_log. Provide that one off-list.
On 5/29/18, 7:59 PM, "Alexander Bokovoy" abokovoy@redhat.com wrote:
On ti, 29 touko 2018, Merritt, Todd R - (tmerritt) via FreeIPA-users wrote: >Hi, > I'm trying to establish a two way trust with an AD > domain and seem to be running into some issues. I am > able to establish a one way trust following the guide > at > https://www.freeipa.org/page/Active_Directory_trust_setup > without any issues. When I destroy that trust and try > to establish a new one with two-way specified to the > same AD domain it throws what I believe to be a > misleading error message and the trust is not > established. How did you destroy that trust?
>[root@IPA.DOMAIN /]# ipa trust-add --type=ad AD_DOMAIN --admin AD_ADMIN_USER --password --two-way=true >Active Directory domain administrator's password: >ipa: ERROR: AD DC was unable to reach any IPA domain controller. Most likely it is a DNS or firewall issue > >I've checked that both the AD DC and the free IPA hosts can resolve the >service entries and verified that there are no firewall blocks in place >between these two hosts. I believe the issue is an LDAP permission >issue of some sort based on the following log snippet Add 'log level = 100' to /usr/share/ipa/smb.conf.empty and re-try with 'ipa trust-add'. You'll get additional debug information in httpd's error_log. Provide that one off-list.
Thanks, I removed it with trust-del
[root@IPA.DOMAIN /]# ipa trust-del AD_DOMAIN ------------------------- Deleted trust "AD_DOMAIN" -------------------------
I'll send you a copy of the http error log directly.
Thanks, Todd
On ke, 30 touko 2018, Merritt, Todd R - (tmerritt) wrote:
On 5/29/18, 7:59 PM, "Alexander Bokovoy" abokovoy@redhat.com wrote:
On ti, 29 touko 2018, Merritt, Todd R - (tmerritt) via FreeIPA-users wrote:
Hi, I'm trying to establish a two way trust with an AD domain and seem to be running into some issues. I am able to establish a one way trust following the guide at https://www.freeipa.org/page/Active_Directory_trust_setup without any issues. When I destroy that trust and try to establish a new one with two-way specified to the same AD domain it throws what I believe to be a misleading error message and the trust is not established.
How did you destroy that trust?
[root@IPA.DOMAIN /]# ipa trust-add --type=ad AD_DOMAIN --admin AD_ADMIN_USER --password --two-way=true Active Directory domain administrator's password: ipa: ERROR: AD DC was unable to reach any IPA domain controller. Most likely it is a DNS or firewall issue
I've checked that both the AD DC and the free IPA hosts can resolve the service entries and verified that there are no firewall blocks in place between these two hosts. I believe the issue is an LDAP permission issue of some sort based on the following log snippet
Add 'log level = 100' to /usr/share/ipa/smb.conf.empty and re-try with 'ipa trust-add'. You'll get additional debug information in httpd's error_log. Provide that one off-list.
Thanks, I removed it with trust-del
[root@IPA.DOMAIN /]# ipa trust-del AD_DOMAIN
Deleted trust "AD_DOMAIN"
I'll send you a copy of the http error log directly.
Thanks. Looking at the error_log, I see two issues:
Validation of trust failed because AD DCs were unable to reach to IPA DCs. This typically means AD DCs unable to discover IPA DCs over DNS SRV records -- they look up using standard Active Directory discovery means, e.g. trying to find out SRV record for _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.$IPA_DOMAIN
Can you show output of 'ipa dns-update-system-records --dry-run'?
netr_LogonControl2Ex: struct netr_LogonControl2Ex out: struct netr_LogonControl2Ex query : * query : union netr_CONTROL_QUERY_INFORMATION(case 2) info2 : * info2: struct netr_NETLOGON_INFO_2 flags : 0x00000080 (128) 0: NETLOGON_REPLICATION_NEEDED 0: NETLOGON_REPLICATION_IN_PROGRESS 0: NETLOGON_FULL_SYNC_REPLICATION 0: NETLOGON_REDO_NEEDED 0: NETLOGON_HAS_IP 0: NETLOGON_HAS_TIMESERV 0: NETLOGON_DNS_UPDATE_FAILURE 1: NETLOGON_VERIFY_STATUS_RETURNED pdc_connection_status : WERR_NO_LOGON_SERVERS trusted_dc_name : * trusted_dc_name : '' tc_connection_status : WERR_NO_LOGON_SERVERS result : WERR_OK
On 5/30/18, 10:59 PM, "Alexander Bokovoy" abokovoy@redhat.com wrote:
On ke, 30 touko 2018, Merritt, Todd R - (tmerritt) wrote: > > >On 5/29/18, 7:59 PM, "Alexander Bokovoy" abokovoy@redhat.com wrote: > > On ti, 29 touko 2018, Merritt, Todd R - (tmerritt) via FreeIPA-users wrote: > >Hi, > > I'm trying to establish a two way trust with an AD > > domain and seem to be running into some issues. I am > > able to establish a one way trust following the guide > > at > > https://www.freeipa.org/page/Active_Directory_trust_setup > > without any issues. When I destroy that trust and try > > to establish a new one with two-way specified to the > > same AD domain it throws what I believe to be a > > misleading error message and the trust is not > > established. > How did you destroy that trust? > > >[root@IPA.DOMAIN /]# ipa trust-add --type=ad AD_DOMAIN --admin AD_ADMIN_USER --password --two-way=true > >Active Directory domain administrator's password: > >ipa: ERROR: AD DC was unable to reach any IPA domain controller. Most likely it is a DNS or firewall issue > > > >I've checked that both the AD DC and the free IPA hosts can resolve the > >service entries and verified that there are no firewall blocks in place > >between these two hosts. I believe the issue is an LDAP permission > >issue of some sort based on the following log snippet > Add 'log level = 100' to /usr/share/ipa/smb.conf.empty and re-try with > 'ipa trust-add'. You'll get additional debug information in httpd's > error_log. Provide that one off-list. > >Thanks, I removed it with trust-del > >[root@IPA.DOMAIN /]# ipa trust-del AD_DOMAIN >------------------------- >Deleted trust "AD_DOMAIN" >------------------------- > >I'll send you a copy of the http error log directly. Thanks. Looking at the error_log, I see two issues:
Validation of trust failed because AD DCs were unable to reach to IPA DCs. This typically means AD DCs unable to discover IPA DCs over DNS SRV records -- they look up using standard Active Directory discovery means, e.g. trying to find out SRV record for _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.$IPA_DOMAIN
Can you show output of 'ipa dns-update-system-records --dry-run'?
netr_LogonControl2Ex: struct netr_LogonControl2Ex out: struct netr_LogonControl2Ex query : * query : union netr_CONTROL_QUERY_INFORMATION(case 2) info2 : * info2: struct netr_NETLOGON_INFO_2 flags : 0x00000080 (128) 0: NETLOGON_REPLICATION_NEEDED 0: NETLOGON_REPLICATION_IN_PROGRESS 0: NETLOGON_FULL_SYNC_REPLICATION 0: NETLOGON_REDO_NEEDED 0: NETLOGON_HAS_IP 0: NETLOGON_HAS_TIMESERV 0: NETLOGON_DNS_UPDATE_FAILURE 1: NETLOGON_VERIFY_STATUS_RETURNED pdc_connection_status : WERR_NO_LOGON_SERVERS trusted_dc_name : * trusted_dc_name : '' tc_connection_status : WERR_NO_LOGON_SERVERS result : WERR_OK
[root@IPA /]# rpm -q ipa-server ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64 [root@IPA /]# ipa dns-update-system-records --dry-run ipa: ERROR: unknown command 'dns-update-system-records'
If I try to manually lookup that domain I get an NXDOMAIN
[root@IPA /]# nslookup -type=srv ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.IPA_DOMAIN Server: 127.0.0.1 Address: 127.0.0.1#53
** server can't find ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.IPA_DOMAIN: NXDOMAIN
-- Thanks, Todd
On to, 31 touko 2018, Merritt, Todd R - (tmerritt) wrote:
On 5/30/18, 10:59 PM, "Alexander Bokovoy" abokovoy@redhat.com wrote:
On ke, 30 touko 2018, Merritt, Todd R - (tmerritt) wrote:
On 5/29/18, 7:59 PM, "Alexander Bokovoy" abokovoy@redhat.com wrote:
On ti, 29 touko 2018, Merritt, Todd R - (tmerritt) via FreeIPA-users wrote:
Hi, I'm trying to establish a two way trust with an AD domain and seem to be running into some issues. I am able to establish a one way trust following the guide at https://www.freeipa.org/page/Active_Directory_trust_setup without any issues. When I destroy that trust and try to establish a new one with two-way specified to the same AD domain it throws what I believe to be a misleading error message and the trust is not established.
How did you destroy that trust?
[root@IPA.DOMAIN /]# ipa trust-add --type=ad AD_DOMAIN --admin AD_ADMIN_USER --password --two-way=true Active Directory domain administrator's password: ipa: ERROR: AD DC was unable to reach any IPA domain controller. Most likely it is a DNS or firewall issue
I've checked that both the AD DC and the free IPA hosts can resolve the service entries and verified that there are no firewall blocks in place between these two hosts. I believe the issue is an LDAP permission issue of some sort based on the following log snippet
Add 'log level = 100' to /usr/share/ipa/smb.conf.empty and re-try with 'ipa trust-add'. You'll get additional debug information in httpd's error_log. Provide that one off-list.
Thanks, I removed it with trust-del
[root@IPA.DOMAIN /]# ipa trust-del AD_DOMAIN
Deleted trust "AD_DOMAIN"
I'll send you a copy of the http error log directly.
Thanks. Looking at the error_log, I see two issues:
Validation of trust failed because AD DCs were unable to reach to IPA DCs. This typically means AD DCs unable to discover IPA DCs over DNS SRV records -- they look up using standard Active Directory discovery means, e.g. trying to find out SRV record for _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.$IPA_DOMAIN
Can you show output of 'ipa dns-update-system-records --dry-run'?
netr_LogonControl2Ex: struct netr_LogonControl2Ex out: struct netr_LogonControl2Ex query : * query : union netr_CONTROL_QUERY_INFORMATION(case 2) info2 : * info2: struct netr_NETLOGON_INFO_2 flags : 0x00000080 (128) 0: NETLOGON_REPLICATION_NEEDED 0: NETLOGON_REPLICATION_IN_PROGRESS 0: NETLOGON_FULL_SYNC_REPLICATION 0: NETLOGON_REDO_NEEDED 0: NETLOGON_HAS_IP 0: NETLOGON_HAS_TIMESERV 0: NETLOGON_DNS_UPDATE_FAILURE 1: NETLOGON_VERIFY_STATUS_RETURNED pdc_connection_status : WERR_NO_LOGON_SERVERS trusted_dc_name : * trusted_dc_name : '' tc_connection_status : WERR_NO_LOGON_SERVERS result : WERR_OK[root@IPA /]# rpm -q ipa-server ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64 [root@IPA /]# ipa dns-update-system-records --dry-run ipa: ERROR: unknown command 'dns-update-system-records'
Ok, 4.2 doesn't have that command.
On my single master setup it looks like this: # ipa dns-update-system-records --dry-run | sed -e 's/xs.ipa.cool/IPA_DOMAIN/g;s/nyx/ipa-server/g' IPA DNS records: _kerberos-master._tcp.IPA_DOMAIN. 86400 IN SRV 0 100 88 ipa-server.IPA_DOMAIN. _kerberos-master._udp.IPA_DOMAIN. 86400 IN SRV 0 100 88 ipa-server.IPA_DOMAIN. _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.IPA_DOMAIN. 86400 IN SRV 0 100 88 ipa-server.IPA_DOMAIN. _kerberos._tcp.dc._msdcs.IPA_DOMAIN. 86400 IN SRV 0 100 88 ipa-server.IPA_DOMAIN. _kerberos._tcp.IPA_DOMAIN. 86400 IN SRV 0 100 88 ipa-server.IPA_DOMAIN. _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.IPA_DOMAIN. 86400 IN SRV 0 100 88 ipa-server.IPA_DOMAIN. _kerberos._udp.dc._msdcs.IPA_DOMAIN. 86400 IN SRV 0 100 88 ipa-server.IPA_DOMAIN. _kerberos._udp.IPA_DOMAIN. 86400 IN SRV 0 100 88 ipa-server.IPA_DOMAIN. _kerberos.IPA_DOMAIN. 86400 IN TXT "IPA_DOMAIN" _kpasswd._tcp.IPA_DOMAIN. 86400 IN SRV 0 100 464 ipa-server.IPA_DOMAIN. _kpasswd._udp.IPA_DOMAIN. 86400 IN SRV 0 100 464 ipa-server.IPA_DOMAIN. _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.IPA_DOMAIN. 86400 IN SRV 0 100 389 ipa-server.IPA_DOMAIN. _ldap._tcp.dc._msdcs.IPA_DOMAIN. 86400 IN SRV 0 100 389 ipa-server.IPA_DOMAIN. _ldap._tcp.IPA_DOMAIN. 86400 IN SRV 0 100 389 ipa-server.IPA_DOMAIN. ipa-ca.IPA_DOMAIN. 86400 IN A some-ipv4-address ipa-ca.IPA_DOMAIN. 86400 IN AAAA some-ipv6-address
You need entries that exist in _mscds.IPA_DOMAIN, these are the ones searched by AD DCs.
If I try to manually lookup that domain I get an NXDOMAIN
[root@IPA /]# nslookup -type=srv ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.IPA_DOMAIN Server: 127.0.0.1 Address: 127.0.0.1#53
** server can't find ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.IPA_DOMAIN: NXDOMAIN
-- Thanks, Todd
On 5/31/18, 11:32 AM, "Alexander Bokovoy" abokovoy@redhat.com wrote:
On to, 31 touko 2018, Merritt, Todd R - (tmerritt) wrote: > > >On 5/30/18, 10:59 PM, "Alexander Bokovoy" abokovoy@redhat.com wrote: > > On ke, 30 touko 2018, Merritt, Todd R - (tmerritt) wrote: > > > > > >On 5/29/18, 7:59 PM, "Alexander Bokovoy" abokovoy@redhat.com wrote: > > > > On ti, 29 touko 2018, Merritt, Todd R - (tmerritt) via FreeIPA-users wrote: > > >Hi, > > > I'm trying to establish a two way trust with an AD > > > domain and seem to be running into some issues. I am > > > able to establish a one way trust following the guide > > > at > > > https://www.freeipa.org/page/Active_Directory_trust_setup > > > without any issues. When I destroy that trust and try > > > to establish a new one with two-way specified to the > > > same AD domain it throws what I believe to be a > > > misleading error message and the trust is not > > > established. > > How did you destroy that trust? > > > > >[root@IPA.DOMAIN /]# ipa trust-add --type=ad AD_DOMAIN --admin AD_ADMIN_USER --password --two-way=true > > >Active Directory domain administrator's password: > > >ipa: ERROR: AD DC was unable to reach any IPA domain controller. Most likely it is a DNS or firewall issue > > > > > >I've checked that both the AD DC and the free IPA hosts can resolve the > > >service entries and verified that there are no firewall blocks in place > > >between these two hosts. I believe the issue is an LDAP permission > > >issue of some sort based on the following log snippet > > Add 'log level = 100' to /usr/share/ipa/smb.conf.empty and re-try with > > 'ipa trust-add'. You'll get additional debug information in httpd's > > error_log. Provide that one off-list. > > > >Thanks, I removed it with trust-del > > > >[root@IPA.DOMAIN /]# ipa trust-del AD_DOMAIN > >------------------------- > >Deleted trust "AD_DOMAIN" > >------------------------- > > > >I'll send you a copy of the http error log directly. > Thanks. Looking at the error_log, I see two issues: > > Validation of trust failed because AD DCs were unable to reach to IPA > DCs. This typically means AD DCs unable to discover IPA DCs over DNS SRV > records -- they look up using standard Active Directory discovery means, > e.g. trying to find out SRV record for _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.$IPA_DOMAIN > > Can you show output of 'ipa dns-update-system-records --dry-run'? > > netr_LogonControl2Ex: struct netr_LogonControl2Ex > out: struct netr_LogonControl2Ex > query : * > query : union netr_CONTROL_QUERY_INFORMATION(case 2) > info2 : * > info2: struct netr_NETLOGON_INFO_2 > flags : 0x00000080 (128) > 0: NETLOGON_REPLICATION_NEEDED > 0: NETLOGON_REPLICATION_IN_PROGRESS > 0: NETLOGON_FULL_SYNC_REPLICATION > 0: NETLOGON_REDO_NEEDED > 0: NETLOGON_HAS_IP > 0: NETLOGON_HAS_TIMESERV > 0: NETLOGON_DNS_UPDATE_FAILURE > 1: NETLOGON_VERIFY_STATUS_RETURNED > pdc_connection_status : WERR_NO_LOGON_SERVERS > trusted_dc_name : * > trusted_dc_name : '' > tc_connection_status : WERR_NO_LOGON_SERVERS > result : WERR_OK > > > >[root@IPA /]# rpm -q ipa-server >ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64 >[root@IPA /]# ipa dns-update-system-records --dry-run >ipa: ERROR: unknown command 'dns-update-system-records' Ok, 4.2 doesn't have that command.
On my single master setup it looks like this: # ipa dns-update-system-records --dry-run | sed -e 's/xs.ipa.cool/IPA_DOMAIN/g;s/nyx/ipa-server/g' IPA DNS records: _kerberos-master._tcp.IPA_DOMAIN. 86400 IN SRV 0 100 88 ipa-server.IPA_DOMAIN. _kerberos-master._udp.IPA_DOMAIN. 86400 IN SRV 0 100 88 ipa-server.IPA_DOMAIN. _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.IPA_DOMAIN. 86400 IN SRV 0 100 88 ipa-server.IPA_DOMAIN. _kerberos._tcp.dc._msdcs.IPA_DOMAIN. 86400 IN SRV 0 100 88 ipa-server.IPA_DOMAIN. _kerberos._tcp.IPA_DOMAIN. 86400 IN SRV 0 100 88 ipa-server.IPA_DOMAIN. _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.IPA_DOMAIN. 86400 IN SRV 0 100 88 ipa-server.IPA_DOMAIN. _kerberos._udp.dc._msdcs.IPA_DOMAIN. 86400 IN SRV 0 100 88 ipa-server.IPA_DOMAIN. _kerberos._udp.IPA_DOMAIN. 86400 IN SRV 0 100 88 ipa-server.IPA_DOMAIN. _kerberos.IPA_DOMAIN. 86400 IN TXT "IPA_DOMAIN" _kpasswd._tcp.IPA_DOMAIN. 86400 IN SRV 0 100 464 ipa-server.IPA_DOMAIN. _kpasswd._udp.IPA_DOMAIN. 86400 IN SRV 0 100 464 ipa-server.IPA_DOMAIN. _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.IPA_DOMAIN. 86400 IN SRV 0 100 389 ipa-server.IPA_DOMAIN. _ldap._tcp.dc._msdcs.IPA_DOMAIN. 86400 IN SRV 0 100 389 ipa-server.IPA_DOMAIN. _ldap._tcp.IPA_DOMAIN. 86400 IN SRV 0 100 389 ipa-server.IPA_DOMAIN. ipa-ca.IPA_DOMAIN. 86400 IN A some-ipv4-address ipa-ca.IPA_DOMAIN. 86400 IN AAAA some-ipv6-address
You need entries that exist in _mscds.IPA_DOMAIN, these are the ones searched by AD DCs.
> >If I try to manually lookup that domain I get an NXDOMAIN > >[root@IPA /]# nslookup -type=srv ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.IPA_DOMAIN >Server: 127.0.0.1 >Address: 127.0.0.1#53 > >** server can't find ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.IPA_DOMAIN: NXDOMAIN > >-- >Thanks, >Todd >
Thanks Alexander, The DNS entries were actually correct, I had a missing _ in my test query but thank you for pointing me in the right direction. The underlying issues ended up being a mix of firewall permits on the windows side and a number of missing port bindings to my docker container where ipa was running for 135/tcp and 1024-1300/tcp. After correcting those issues I was able to establish the trust.
-- Todd
On 6/1/18, 12:20 PM, "Merritt, Todd R - (tmerritt) via FreeIPA-users" freeipa-users@lists.fedorahosted.org wrote:
On 5/31/18, 11:32 AM, "Alexander Bokovoy" abokovoy@redhat.com wrote:
On to, 31 touko 2018, Merritt, Todd R - (tmerritt) wrote: > > >On 5/30/18, 10:59 PM, "Alexander Bokovoy" abokovoy@redhat.com wrote: > > On ke, 30 touko 2018, Merritt, Todd R - (tmerritt) wrote: > > > > > >On 5/29/18, 7:59 PM, "Alexander Bokovoy" abokovoy@redhat.com wrote: > > > > On ti, 29 touko 2018, Merritt, Todd R - (tmerritt) via FreeIPA-users wrote: > > >Hi, > > > I'm trying to establish a two way trust with an AD > > > domain and seem to be running into some issues. I am > > > able to establish a one way trust following the guide > > > at > > > https://www.freeipa.org/page/Active_Directory_trust_setup > > > without any issues. When I destroy that trust and try > > > to establish a new one with two-way specified to the > > > same AD domain it throws what I believe to be a > > > misleading error message and the trust is not > > > established. > > How did you destroy that trust? > > > > >[root@IPA.DOMAIN /]# ipa trust-add --type=ad AD_DOMAIN --admin AD_ADMIN_USER --password --two-way=true > > >Active Directory domain administrator's password: > > >ipa: ERROR: AD DC was unable to reach any IPA domain controller. Most likely it is a DNS or firewall issue > > > > > >I've checked that both the AD DC and the free IPA hosts can resolve the > > >service entries and verified that there are no firewall blocks in place > > >between these two hosts. I believe the issue is an LDAP permission > > >issue of some sort based on the following log snippet > > Add 'log level = 100' to /usr/share/ipa/smb.conf.empty and re-try with > > 'ipa trust-add'. You'll get additional debug information in httpd's > > error_log. Provide that one off-list. > > > >Thanks, I removed it with trust-del > > > >[root@IPA.DOMAIN /]# ipa trust-del AD_DOMAIN > >------------------------- > >Deleted trust "AD_DOMAIN" > >------------------------- > > > >I'll send you a copy of the http error log directly. > Thanks. Looking at the error_log, I see two issues: > > Validation of trust failed because AD DCs were unable to reach to IPA > DCs. This typically means AD DCs unable to discover IPA DCs over DNS SRV > records -- they look up using standard Active Directory discovery means, > e.g. trying to find out SRV record for _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.$IPA_DOMAIN > > Can you show output of 'ipa dns-update-system-records --dry-run'? > > netr_LogonControl2Ex: struct netr_LogonControl2Ex > out: struct netr_LogonControl2Ex > query : * > query : union netr_CONTROL_QUERY_INFORMATION(case 2) > info2 : * > info2: struct netr_NETLOGON_INFO_2 > flags : 0x00000080 (128) > 0: NETLOGON_REPLICATION_NEEDED > 0: NETLOGON_REPLICATION_IN_PROGRESS > 0: NETLOGON_FULL_SYNC_REPLICATION > 0: NETLOGON_REDO_NEEDED > 0: NETLOGON_HAS_IP > 0: NETLOGON_HAS_TIMESERV > 0: NETLOGON_DNS_UPDATE_FAILURE > 1: NETLOGON_VERIFY_STATUS_RETURNED > pdc_connection_status : WERR_NO_LOGON_SERVERS > trusted_dc_name : * > trusted_dc_name : '' > tc_connection_status : WERR_NO_LOGON_SERVERS > result : WERR_OK > > > >[root@IPA /]# rpm -q ipa-server >ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64 >[root@IPA /]# ipa dns-update-system-records --dry-run >ipa: ERROR: unknown command 'dns-update-system-records' Ok, 4.2 doesn't have that command.
On my single master setup it looks like this: # ipa dns-update-system-records --dry-run | sed -e 's/xs.ipa.cool/IPA_DOMAIN/g;s/nyx/ipa-server/g' IPA DNS records: _kerberos-master._tcp.IPA_DOMAIN. 86400 IN SRV 0 100 88 ipa-server.IPA_DOMAIN. _kerberos-master._udp.IPA_DOMAIN. 86400 IN SRV 0 100 88 ipa-server.IPA_DOMAIN. _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.IPA_DOMAIN. 86400 IN SRV 0 100 88 ipa-server.IPA_DOMAIN. _kerberos._tcp.dc._msdcs.IPA_DOMAIN. 86400 IN SRV 0 100 88 ipa-server.IPA_DOMAIN. _kerberos._tcp.IPA_DOMAIN. 86400 IN SRV 0 100 88 ipa-server.IPA_DOMAIN. _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.IPA_DOMAIN. 86400 IN SRV 0 100 88 ipa-server.IPA_DOMAIN. _kerberos._udp.dc._msdcs.IPA_DOMAIN. 86400 IN SRV 0 100 88 ipa-server.IPA_DOMAIN. _kerberos._udp.IPA_DOMAIN. 86400 IN SRV 0 100 88 ipa-server.IPA_DOMAIN. _kerberos.IPA_DOMAIN. 86400 IN TXT "IPA_DOMAIN" _kpasswd._tcp.IPA_DOMAIN. 86400 IN SRV 0 100 464 ipa-server.IPA_DOMAIN. _kpasswd._udp.IPA_DOMAIN. 86400 IN SRV 0 100 464 ipa-server.IPA_DOMAIN. _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.IPA_DOMAIN. 86400 IN SRV 0 100 389 ipa-server.IPA_DOMAIN. _ldap._tcp.dc._msdcs.IPA_DOMAIN. 86400 IN SRV 0 100 389 ipa-server.IPA_DOMAIN. _ldap._tcp.IPA_DOMAIN. 86400 IN SRV 0 100 389 ipa-server.IPA_DOMAIN. ipa-ca.IPA_DOMAIN. 86400 IN A some-ipv4-address ipa-ca.IPA_DOMAIN. 86400 IN AAAA some-ipv6-address
You need entries that exist in _mscds.IPA_DOMAIN, these are the ones searched by AD DCs.
> >If I try to manually lookup that domain I get an NXDOMAIN > >[root@IPA /]# nslookup -type=srv ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.IPA_DOMAIN >Server: 127.0.0.1 >Address: 127.0.0.1#53 > >** server can't find ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.IPA_DOMAIN: NXDOMAIN > >-- >Thanks, >Todd >
Thanks Alexander, The DNS entries were actually correct, I had a missing _ in my test query but thank you for pointing me in the right direction. The underlying issues ended up being a mix of firewall permits on the windows side and a number of missing port bindings to my docker container where ipa was running for 135/tcp and 1024-1300/tcp. After correcting those issues I was able to establish the trust.
Well, I _thought_ I had the trust established. I tried to run kvno -S cifs adserver.example.com per https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm..., but I get an error that the server is not found in the Kerberos database. I tried to subsequently run "ipa trust-fetch-domains AD_DOMAIN" and got an error that the time may not be in sync between the ipa and ad dc but I verified that the is synced between them. I have a copy of the error log from the IPA server from trying to run trust-fetch-domains if that's helpful.
-- Thanks, Todd
On to, 14 kesä 2018, Merritt, Todd R - (tmerritt) via FreeIPA-users wrote:
Thanks Alexander, The DNS entries were actually correct, I had a missing _ in my test query but thank you for pointing me in the right direction. The underlying issues ended up being a mix of firewall permits on the windows side and a number of missing port bindings to my docker container where ipa was running for 135/tcp and 1024-1300/tcp. After correcting those issues I was able to establish the trust.
Well, I _thought_ I had the trust established. I tried to run kvno -S cifs adserver.example.com per https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm..., but I get an error that the server is not found in the Kerberos database. I tried to subsequently run "ipa trust-fetch-domains AD_DOMAIN" and got an error that the time may not be in sync between the ipa and ad dc but I verified that the is synced between them. I have a copy of the error log from the IPA server from trying to run trust-fetch-domains if that's helpful.
Yes, please provide any logs you could. ;)
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Merritt, Todd R - (tmerritt)