Hello
I am running CentOS 7.9
FreeIPA 4.6.8
Installed with integrated DNS and CA
A replica will be installed after the trust is established with the AD domain.

When trying to create a trust with AD i get the following error message (it 
seems to be somewhat random but goes back and forth between these two)
Fetching domains from trusted forest failed 
OR
ipa: ERROR: cannot connect to 'https://<server>/ipa/session/json': Gateway 
Timeout

I have done the following to troubleshoot:

- disable Selinux, which makes no difference

- check firewall ports.  for your reference I have the following defined
  services: freeipa-ldap, freeiipa-ldaps, http, https, kerberos, ntp, dns, ssh
  ports: 749/tcp, 7389/tcp, 8005/tcp, 8009/tcp

- check DNS,  it all verifies properly according to 5.2.1.2  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/trust-during#trust-set-up-idm

- enabled debugging per 
https://www.freeipa.org/page/Active_Directory_trust_setup#Establish_and_verify_cross-forest_trust

- disabled DNSSEC per https://access.redhat.com/solutions/2263991


I do see something of interest in the error_log but I am not sure if this is 
the problem.

wsgi:error Timeout when reading response headers from daemon process 'ipa': 
/usr/share/ipa/wsgi.py
ipa: ERROR: Failed to call com.redhat.idm.trust.fetch_domains helper. DBus 
exception is org.freedesktop.DBus.Error.NoReply: Did not receive a reply.  
Possible causes include: the remote application did not send a reply, the 
message bus security policy blocked the reply, the reply timeout expired, or 
the network connection was broken.
ipa: ERROR: Helper fetch_domain was called for forest <forest_name_here>, 
return code is 2

Any assistance you can provide is appreciated!


_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to