On 3/18/15, 9:48 AM, "Alexander Bokovoy" <aboko...@redhat.com> wrote:
>On Wed, 18 Mar 2015, Gould, Joshua wrote: >>On 3/18/15, 4:28 AM, "Alexander Bokovoy" <aboko...@redhat.com> wrote: >> >>>On Wed, 18 Mar 2015, Gould, Joshua wrote: >>>> >>>> >>>>I¹ll be happy to remove the AD section from the sssd.conf file and test >>>>but I think there¹s more going on. The AD section was generated from >>>>the >>>>IPA client install. I never manually added anything other than ³pac² to >>>>the services line under the [sssd] section and the two ldap_idmap_range >>>>options. >>>Show your /var/log/ipaclient-install.log. ipa-client-install has no >>>support to generate sections for AD at all. >> >>I think then it would have to be the “ipa trust-add” command which >>generates those sections then? The command that I used was: >No, it is not. We don't have *any* code that could have generated that >section in FreeIPA. Since we’re still in the test phase, I can fairly easily set things up again. It will help me to improve my own documentation for how things are setup in test and how I can set things up in production. When I do that, I can look at the sssd.conf after each step and see where it gets modified and let you know. Like I said, I never created the domain section, but I did add the debugging statement, the range options and the option for pac. > >># ipa trust-add --type=ad TEST.OSUWMC ―-admin=farus ―password >>--range-type=ipa-ad-trust >>Active Directory domain administrator's password: >>ipa: ERROR: AD DC was unable to reach any IPA domain controller. Most >>likely it is a DNS or firewall issue >> >> >>The trust was created even with that error message and seems to work. >Do you get something like > >$ kdestroy -A >$ kinit admin >$ kvno -S cifs <hostname of AD DC> >$ klist -ef > >working? All of those work even with the error when initially creating the trust. We basically treated the error as cosmetic since everything else seems to work. [goul09@mid-ipa-vp01 ~]$ kdestroy kdestroy: No credentials cache found while destroying cache [goul09@mid-ipa-vp01 ~]$ kinit admin Password for ad...@unix.test.OSUWMC: [goul09@mid-ipa-vp01 ~]$ kvno -S cifs svr-addc-vt01.test.osuwmc cifs/svr-addc-vt01.test.osuwmc@TEST.OSUWMC: kvno = 16 [goul09@mid-ipa-vp01 ~]$ klist -ef Ticket cache: FILE:/tmp/krb5cc_998 Default principal: ad...@unix.test.OSUWMC Valid starting Expires Service principal 03/18/2015 10:15:28 03/19/2015 10:15:25 krbtgt/unix.test.osu...@unix.test.OSUWMC Flags: FIA, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 03/18/2015 10:16:08 03/19/2015 10:15:25 krbtgt/test.osu...@unix.test.OSUWMC Flags: FAT, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 03/18/2015 10:15:46 03/18/2015 20:15:46 cifs/svr-addc-vt01.test.osuwmc@TEST.OSUWMC Flags: FA, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 [goul09@mid-ipa-vp01 ~]$ -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project