Please don't answer directly, use mailing list.
On Thu, 09 Jun 2016, pgb205 wrote:
Alexander,
As far as I can say ipv6 is enabled in the kernel, as the tutorial
suggests, although none of the interfaces have ipv6 addresses.
For example,
ip a | grep inet6
inet6 ::1/128 scope host
and
ip -6 address show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536
inet6 ::1/128 scope host
root@:~# cat /proc/sys/net/ipv6/conf/all/disable_ipv6
0
root@:~# cat /proc/sys/net/ipv6/conf/default/disable_ipv6
0
Does any of your DNS servers respond with IPv6 addresses for AD DCs?
glibc DNS resolver prefers IPv6 over IPv4 in the default configuration
and if that happens, without IPv6 routes it becomes unreachable.
You can control how DNS resolver works with /etc/gai.conf (does not
exist by default, see man page gai.conf for details) and can set IPv4
preference over IPv6 there, either globally or per host.
From: Alexander Bokovoy <aboko...@redhat.com>
To: pgb205 <pgb...@yahoo.com>
Cc: "Freeipa-users@redhat.com" <Freeipa-users@redhat.com>
Sent: Thursday, June 9, 2016 4:30 PM
Subject: Re: [Freeipa-users] Can't establish trust with 2008 AD
On Thu, 09 Jun 2016, pgb205 wrote:
The setup is:AD 2008 domain,Latest version of FreeIpa with integrated
DNS,As the AD domain is not known to any DNS servers on the network I
have created a stub zone in Freeipa integrated dns server
addomain.com,and created A-record for DC.addomain.comas well as
_ldap.tcp.addomain.com and _kerberos.udp.addomain.comand checked with
dig that they resolve correctly, 138/139/145/389 are opened between the
servers on both tcp and udp portsipv6 enabled on the FreeIpa server. I
am using pre-shared secret to establish the trust
Run:ipa trust-add --type=ad addomain.com --trust-secret <pre-shared key>
and receive:
ipa: ERROR: CIFS server communication error: code "None", message
"NT_STATUS_IO_TIMEOUT" (both may be "None")
I've enabled the logs as described in debugging section (I would be glad to
forward the whole thing if needed)However, relevant error that I see is :
finddcs: DNS SRV response 0 at '<ipaddr>'finddcs: performing CLDAP
query on <ipaddr>s4_tevent: Added timed event "tevent_req_timedout":
0x7f21302a8b10s4_tevent: Schedule immediate event "tevent_req_trigger":
0x7f2130025090s4_tevent: Run immediate event "tevent_req_trigger":
0x7f2130025090s4_tevent: Added timed event "tevent_req_timedout":
0x7f213025cb90s4_tevent: Running timer event 0x7f213025cb90
"tevent_req_timedout"s4_tevent: Schedule immediate event
"tevent_req_trigger": 0x7f2130045b50s4_tevent: Ending timer event
0x7f213025cb90 "tevent_req_timedout"s4_tevent: Run immediate event
"tevent_req_trigger": 0x7f2130045b50s4_tevent: Added timed event
"tevent_req_timedout": 0x7f213025cb90s4_tevent: Running timer event
0x7f213025cb90 "tevent_req_timedout"s4_tevent: Schedule immediate event
"tevent_req_trigger": 0x7f213001d230s4_tevent: Ending timer event
0x7f213025cb90 "tevent_req_timedout"s4_tevent: Run immediate event
"tevent_req_trigger": 0x7f213001d230s4_tevent: Added timed event
"tevent_req_timedout": 0x7f213025cb90s4_tevent: Running timer event
0x7f21302a8b10 "tevent_req_timedout"s4_tevent: Destroying timer event
0x7f213025cb90 "tevent_req_timedout"finddcs: No matching CLDAP server
founds4_tevent: Ending timer event 0x7f21302a8b10
"tevent_req_timedout"[Thu Jun 09 20:39:38.703506 2016] [:error] [pid
2503] ipa: INFO: [jsonserver_session] admin@<ipadomain.com>:
trust_add(u'addomain.com', trust_type=u'ad', trust_secret=u'********',
all=False, raw=False, version=u'2.156'): RemoteRetrieveError Once again
I would be glad to provide entire logs if needed. But would be grateful
for suggestions on how to resolve the above error.
Do you have IPv6 disabled?
www.freeipa.org/page/Active_Directory_trust_setup#IPv6_stack_usage
--
/ Alexander Bokovoy
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project