On ti, 09 maalis 2021, iulian roman via FreeIPA-users wrote:
Hello,
I try to configure trust between a FreeIPA domain and Active Directory.
They are both in different domains (ipa domain: ipadev.test.local , ad
domain: iam.intern ) and use external DNS. I have configured/verified
all prerequisites, but when I run ipa trust-add command, I get the
following error:
ipa: ERROR: AD domain controller complains about communication sequence. It may
mean unsynchronized time on both sides, for example
I have enabled debug for samba but I cannot make much sense from the debug
information in error.log :
s4_tevent: Added timed event "composite_trigger": 0x7f9324240e30
s4_tevent: Ending timer event 0x7f932424ed50 "composite_trigger"
s4_tevent: Running timer event 0x7f9324240e30 "composite_trigger"
s4_tevent: Ending timer event 0x7f9324240e30 "composite_trigger"
s4_tevent: Added timed event "connect_multi_timer": 0x7f9324240cc0
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f9324403310
s4_tevent: Run immediate event "tevent_req_trigger": 0x7f9324403310
s4_tevent: Destroying timer event 0x7f9324240cc0 "connect_multi_timer"
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 300
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 2626560
SO_RCVBUF = 1061808
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
TCP_DEFER_ACCEPT = 0
s4_tevent: Added timed event "tevent_req_timedout": 0x7f932424ed50
s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger":
0x7f9324240cc0
s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f9324240cc0
s4_tevent: Destroying timer event 0x7f932424ed50 "tevent_req_timedout"
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f932425c370
s4_tevent: Run immediate event "tevent_req_trigger": 0x7f932425c370
s4_tevent: Added timed event "tevent_req_timedout": 0x7f9324016970
Starting GENSEC mechanism spnego
SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f9324403310
s4_tevent: Run immediate event "tevent_req_trigger": 0x7f9324403310
s4_tevent: Destroying timer event 0x7f9324016970 "tevent_req_timedout"
s4_tevent: Destroying timer event 0x7f932401f730
"dcerpc_connect_timeout_handler"
[Tue Mar 09 09:51:12.685725 2021] [wsgi:error] [pid 29053:tid 140270172727040]
[remote 10.30.214.119:36488] ipa: INFO: [jsonserver_session]
cifs/ipadev01.test.lo...@ipadev.test.LOCAL: trust_add/1(u'IAM.INTERN',
trust_type=u'ad', realm_admin=u'admin', realm_passwd=u'********',
realm_server=u'10.30.201.46', version=u'2.232'): RemoteRetrieveError
Any idea what should I look into ?
Couple notes.
0. It is unclear what is the OS, its version, Samba and IPA versions.
IPA API is said to be 2.232, so this is most likely FreeIPA 4.8
pre-releases, like 4.7.91 -- is this Ubuntu? If it is Ubuntu, then trust
to AD feature is not supported on Ubuntu. On the other hand, the version
in the IPA API call is the version sent by the client.
In your previous communication on this list you stated that your
deployment is
FreeIPA version: 4.7.4 on Ubuntu 18.04
This is *not supported* for trust to AD feature, at all.
If this is CentOS or RHEL 8 server, knowning exact distro version is
important because in RHEL 8.3 we've got rid of RC4 cipher in the default
configuration for Kerberos authentication. This is documented in the
RHEL 8.3 release notes.
1. The log above shows that you ran 'ipa trust-add' as cifs/...
principal, not as IPA 'admin'. Please fix and re-try.
kinit admin
ipa trust-ad ...
2. The response sequence above states that when using AD administrator
'admin@IAM.INTERN' credentials, we cannot really agree on the supported
mechanism with a chosen AD DC.
Starting GENSEC mechanism spnego
SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT
this might mean multiple things. For example, AD side doesn't have AES
ciphers enabled for this particular user and on IPA side system-wide
crypto policy prevents using RC4 cipher, as I said above. But it also
might mean you are running IPA server on Ubuntu and it could be a
combination of unsupported MIT/Heimdal mix in runtime.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
