On Thu, Sep 11, 2014 at 6:06 PM, Traiano Welcome <trai...@gmail.com> wrote:
> Hi Alexander > > > > On Thu, Sep 11, 2014 at 4:38 PM, Alexander Bokovoy <aboko...@redhat.com> > wrote: > >> On Thu, 11 Sep 2014, Traiano Welcome wrote: >> >>> Hi List >>> >>> I'm currently working through the IPAv3 AD integration document at: >>> >>> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup >>> >>> >>> I've managed to establish a trust between the IdM and the AD server. >>> However, when I run the command: >>> >>> --- >>> [root@kwtpocidm001 ~]# ipa trustdomain-fetch "mhatest.local" >>> ipa: ERROR: unknown command 'trustdomain-fetch' >>> --- >>> >>> It would appear the 'trustdomain-fetch' command is not present anymore >>> or >>> has been replaced with something else? >>> >> No, it was my mistake when I expanded the wiki few days ago. ;) >> >> # ipa trust 2>&1|grep ' trust' >> trust-add Add new trust to use. >> trust-del Delete a trust. >> trust-fetch-domains Refresh list of the domains associated with the >> trust >> trust-find Search for trusts. >> trust-mod Modify a trust (for future use). >> trust-show Display information about a trust. >> trustconfig-mod Modify global trust configuration. >> trustconfig-show Show global trust configuration. >> trustdomain-del Remove infromation about the domain associated with >> the trust. >> trustdomain-disable Disable use of IPA resources by the domain of the >> trust >> trustdomain-enable Allow use of IPA resources by the domain of the >> trust >> trustdomain-find Search domains of the trust >> >> I fixed the page to use proper one -- trust-fetch-domains. >> >> > > Excellent. Thanks. > > > > > > >> I speculate it's this: >>> >>> --- >>> [root@kwtpocidm001 ~]# ipa trust-fetch-domains "mhatest.local" >>> ipa: ERROR: AD domain controller complains about communication sequence. >>> It >>> may mean unsynchronized time on both sides, for example >>> --- >>> >>> Is this correct? >>> >>> >>> If indeed "trust-fetch-domains" is the correct command, then .w.r.t this >>> error message: >>> >>> "ipa: ERROR: AD domain controller complains about communication sequence. >>> It may mean unsynchronized time on both sides, for example" >>> >>> a) Checked the time synch on the AD server and the RHEL 7 IdM server and >>> it's fine. >>> >> Check time zone. I've seen many times that time zone on test Windows >> installs is set to PDT while your actual zone might be something >> different; thus it gets out of sync. >> >> > > Timezones appear synced/the same: > > - IPA server: Thu Sep 11 18:01:58 AST 2014 > - Windows AD server:Thursday, September 11, 2014, 6:02:10 PM TZ: > (UTC+03:00) Kuwait, Riyadh > > Just to confirm they're both in sync, I've set the IdM server to use the AD DC as an ntp service: --- [root@kwtpocidm001 ~]# ntpdate -u 172.16.107.109 11 Sep 19:29:11 ntpdate[2736]: adjust time server 172.16.107.109 offset -0.146107 sec --- > > > > >> b) Here's a snippet around the error when running ipa with "-d": >>> >> This one is not usable. You need to enable debugging on the server side. >> See http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup# >> Debugging_trust >> in the part where it talks about /usr/share/ipa/smb.conf.empty. >> >> > > I've attached the debug logs, I'd be thankful if you could find anything > in them! > > >> -- >> / Alexander Bokovoy >> > > Traiano Welcome > > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project