Re: [Freeipa-users] FreeIPA Active directory Integration: ipa "unknown command trustdomain-fetch"

[Alexander Bokovoy]

On Thu, 11 Sep 2014, Traiano Welcome wrote:

Hi List

I'm currently working through the IPAv3 AD integration document at:

http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup


I've managed to establish a trust between the IdM and the AD server.
However, when I run the command:

---
[root@kwtpocidm001 ~]# ipa trustdomain-fetch "mhatest.local"
ipa: ERROR: unknown command 'trustdomain-fetch'
---

It would appear the  'trustdomain-fetch' command is not present anymore or
has been replaced with something else?

No, it was my mistake when I expanded the wiki few days ago. ;)

# ipa trust 2>&1|grep '  trust'
 trust-add            Add new trust to use.
 trust-del            Delete a trust.
 trust-fetch-domains  Refresh list of the domains associated with the trust
 trust-find           Search for trusts.
 trust-mod            Modify a trust (for future use).
 trust-show           Display information about a trust.
 trustconfig-mod      Modify global trust configuration.
 trustconfig-show     Show global trust configuration.
 trustdomain-del      Remove infromation about the domain associated with the 
trust.
 trustdomain-disable  Disable use of IPA resources by the domain of the trust
 trustdomain-enable   Allow use of IPA resources by the domain of the trust
 trustdomain-find     Search domains of the trust

I fixed the page to use proper one -- trust-fetch-domains.

I speculate it's this:

---
[root@kwtpocidm001 ~]# ipa trust-fetch-domains "mhatest.local"
ipa: ERROR: AD domain controller complains about communication sequence. It
may mean unsynchronized time on both sides, for example
---

Is this correct?


If indeed "trust-fetch-domains" is the correct command, then .w.r.t this
error message:

"ipa: ERROR: AD domain controller complains about communication sequence.
It may mean unsynchronized time on both sides, for example"

a) Checked the time synch on the AD server and the RHEL 7 IdM server and
it's fine.

Check time zone. I've seen many times that time zone on test Windows
installs is set to PDT while your actual zone might be something
different; thus it gets out of sync.

b) Here's a snippet around the error when running ipa with "-d":

This one is not usable. You need to enable debugging on the server side.
See http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Debugging_trust
in the part where it talks about /usr/share/ipa/smb.conf.empty.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project