Of course: FreeIPA versions: [root@ipa-ams-01 samba]# rpm -qa | grep ipa libipa_hbac-1.14.0-43.el7_3.14.x86_64 sssd-ipa-1.14.0-43.el7_3.14.x86_64 python2-ipaclient-4.4.0-14.el7.centos.7.noarch ipa-server-trust-ad-4.4.0-14.el7.centos.7.x86_64 ipa-client-common-4.4.0-14.el7.centos.7.noarch python-iniparse-0.4-9.el7.noarch python-libipa_hbac-1.14.0-43.el7_3.14.x86_64 python2-ipalib-4.4.0-14.el7.centos.7.noarch ipa-admintools-4.4.0-14.el7.centos.7.noarch ipa-server-common-4.4.0-14.el7.centos.7.noarch ipa-server-4.4.0-14.el7.centos.7.x86_64 ipa-server-dns-4.4.0-14.el7.centos.7.noarch python-ipaddress-1.0.16-2.el7.noarch ipa-client-4.4.0-14.el7.centos.7.x86_64 python2-ipaserver-4.4.0-14.el7.centos.7.noarch ipa-common-4.4.0-14.el7.centos.7.noarch
Samba AD DC versions: Also CentOS 7, Samba 4.6.2, built from source, configure with one option: --with-systemd FreeIPA controls i.rdmedia.com, prod.ams.i.rdmedia.com, test.ams.i.rdmedia.com and prod.nyc.i.rdmedia.com. AD controls only clients.i.rdmedia.com and forwards all other DNS queries to ipa-ams-01. Samba uses the BIND9_DLZ backend for DNS. Regarding the commands run: After provisioning the AD domain, I followed this <https://www.freeipa.org/page/Active_Directory_trust_setup> guide, except I set up the global forwarder in /etc/named.conf manually. I got the "ipa: ERROR an internal error has occurred" after running: ipa trust-add --type=ad clients.i.rdmedia.com --admin Administrator --password On 13 April 2017 at 17:09, Alexander Bokovoy <aboko...@redhat.com> wrote: > On to, 13 huhti 2017, Tiemen Ruiten wrote: > >> Apologies, now with proper subject. >> >> On 13 April 2017 at 16:49, Tiemen Ruiten <t.rui...@rdmedia.com> wrote: >> >> Hello! >>> >>> As I understand from this >>> <https://www.redhat.com/archives/freeipa-users/2016-October/ >>> msg00147.html> thread, >>> >>> it should be possible to setup a trust between FreeIPA and Samba4. My AD >>> domain is clients.i.rdmedia.com, it's a subdomain of my FreeIPA domain, >>> i.rdmedia.com. Therefore I added a global forwarder on the Samba AD DC >>> to >>> one of the FreeIPA replica's and lookup of SRV records in both domains >>> appears to work. >>> >>> However when I try to add the trust I get "ipa: ERROR an internal error >>> has occurred". I ran the trust-add command with full debug logging as >>> described on https://www.freeipa.org/page/Active_Directory_trust_setup# >>> Debugging_trust, so I can provide these logs privately upon request. >>> >>> I suspect some DNS-issue, as right after I try to setup the trust, >>> dynamic >>> updates stop working on the AD Domain Controller with this error: >>> >>> tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor >>> code may provide more information, Minor = Server DNS/fluorine.clients.i. >>> rdmedia....@i.rdmedia.com not found in Kerberos database. >>> Failed nsupdate: 1 >>> update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._ >>> sites.ForestDnsZones.clients.i.rdmedia.com >>> fluorine.clients.i.rdmedia.com >>> 389 >>> Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._ >>> sites.ForestDnsZones.clients.i.rdmedia.com >>> fluorine.clients.i.rdmedia.com >>> 389 (add) >>> Outgoing update query: >>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >>> ;; UPDATE SECTION: >>> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones. >>> clients.i.rdmedia.com. 900 IN SRV 0 100 389 >>> fluorine.clients.i.rdmedia.com >>> . >>> >>> Many thanks in advance for your assistance. >>> >> It would help if you would provide more details on your setup. The above > doesn't give a clue on: > - what are FreeIPA and Samba AD DC versions > - on what OS versions they run, correspondingly > - what DNS zones each of them control > - what commands did you run > > -- > / Alexander Bokovoy > -- Tiemen Ruiten Systems Engineer R&D Media
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project