On Thu, 11 Sep 2014, Traiano Welcome wrote:
Hi List
I'm currently working through the IPAv3 AD integration document at:
http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup
I've managed to establish a trust between the IdM and the AD server.
However, when I run the command:
---
[root@kwtpocidm001 ~]# ipa trustdomain-fetch "mhatest.local"
ipa: ERROR: unknown command 'trustdomain-fetch'
---
It would appear the 'trustdomain-fetch' command is not present anymore or
has been replaced with something else?
No, it was my mistake when I expanded the wiki few days ago. ;)
# ipa trust 2>&1|grep ' trust'
trust-add Add new trust to use.
trust-del Delete a trust.
trust-fetch-domains Refresh list of the domains associated with the trust
trust-find Search for trusts.
trust-mod Modify a trust (for future use).
trust-show Display information about a trust.
trustconfig-mod Modify global trust configuration.
trustconfig-show Show global trust configuration.
trustdomain-del Remove infromation about the domain associated with the
trust.
trustdomain-disable Disable use of IPA resources by the domain of the trust
trustdomain-enable Allow use of IPA resources by the domain of the trust
trustdomain-find Search domains of the trust
I fixed the page to use proper one -- trust-fetch-domains.
I speculate it's this:
---
[root@kwtpocidm001 ~]# ipa trust-fetch-domains "mhatest.local"
ipa: ERROR: AD domain controller complains about communication sequence. It
may mean unsynchronized time on both sides, for example
---
Is this correct?
If indeed "trust-fetch-domains" is the correct command, then .w.r.t this
error message:
"ipa: ERROR: AD domain controller complains about communication sequence.
It may mean unsynchronized time on both sides, for example"
a) Checked the time synch on the AD server and the RHEL 7 IdM server and
it's fine.
Check time zone. I've seen many times that time zone on test Windows
installs is set to PDT while your actual zone might be something
different; thus it gets out of sync.
b) Here's a snippet around the error when running ipa with "-d":
This one is not usable. You need to enable debugging on the server side.
See http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Debugging_trust
in the part where it talks about /usr/share/ipa/smb.conf.empty.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project