Hello, I set up a fresh Windows Server 2012R2 instance, configured a new forest named 'clients.rdmedia.com' and I'm getting the same error in the httpd error_log after running 'ipa trust-add clients.rdmedia.com --type=ad --admin=Administrator --password':
[Fri Apr 28 12:05:00.420174 2017] [:error] [pid 26417] ipa: ERROR: non-public: RuntimeError: (-1073741811, 'Unexpected information received') [Fri Apr 28 12:05:00.420225 2017] [:error] [pid 26417] Traceback (most recent call last): [Fri Apr 28 12:05:00.420230 2017] [:error] [pid 26417] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 366, in wsgi_execute [Fri Apr 28 12:05:00.420235 2017] [:error] [pid 26417] result = command(*args, **options) [Fri Apr 28 12:05:00.420239 2017] [:error] [pid 26417] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 449, in __call__ [Fri Apr 28 12:05:00.420243 2017] [:error] [pid 26417] return self.__do_call(*args, **options) [Fri Apr 28 12:05:00.420247 2017] [:error] [pid 26417] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 477, in __do_call [Fri Apr 28 12:05:00.420251 2017] [:error] [pid 26417] ret = self.run(*args, **options) [Fri Apr 28 12:05:00.420255 2017] [:error] [pid 26417] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 799, in run [Fri Apr 28 12:05:00.420258 2017] [:error] [pid 26417] return self.execute(*args, **options) [Fri Apr 28 12:05:00.420262 2017] [:error] [pid 26417] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 739, in execute [Fri Apr 28 12:05:00.420267 2017] [:error] [pid 26417] result = self.execute_ad(full_join, *keys, **options) [Fri Apr 28 12:05:00.420297 2017] [:error] [pid 26417] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 989, in execute_ad [Fri Apr 28 12:05:00.420304 2017] [:error] [pid 26417] trust_type [Fri Apr 28 12:05:00.420308 2017] [:error] [pid 26417] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1683, in join_ad_full_credentials [Fri Apr 28 12:05:00.420312 2017] [:error] [pid 26417] trust_type, trust_external) [Fri Apr 28 12:05:00.420316 2017] [:error] [pid 26417] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1363, in establish_trust [Fri Apr 28 12:05:00.420320 2017] [:error] [pid 26417] self.update_ftinfo(another_domain) [Fri Apr 28 12:05:00.420324 2017] [:error] [pid 26417] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1252, in update_ftinfo [Fri Apr 28 12:05:00.420328 2017] [:error] [pid 26417] ftinfo, 0) [Fri Apr 28 12:05:00.420331 2017] [:error] [pid 26417] RuntimeError: (-1073741811, 'Unexpected information received') [Fri Apr 28 12:05:00.420975 2017] [:error] [pid 26417] ipa: INFO: [jsonserver_session] ad...@i.rdmedia.com: trust_add/1(u'clients.rdmedia.com', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', version=u'2.213'): RuntimeError Am I doing something wrong? Logs are ofcourse available privately on request. On 14 April 2017 at 15:13, Alexander Bokovoy <aboko...@redhat.com> wrote: > On pe, 14 huhti 2017, Tiemen Ruiten wrote: > >> Yes, office.rdmedia.com is the Samba AD domain. >> >> [root@fluorine samba]# samba-tool domain trust list >> Type[Forest] Transitive[Yes] Direction[INCOMING] Name[i.rdmedia.com] >> [root@fluorine samba]# samba-tool domain trust show i.rdmedia.com >> LocalDomain Netbios[OFFICE] DNS[office.rdmedia.com] >> SID[S-1-5-21-482924559-3201240232-3198541477] >> TrusteDomain: >> >> NetbiosName: IPA >> DnsName: i.rdmedia.com >> SID: S-1-5-21-3716778977-2487905546-4034507762 >> Type: 0x2 (UPLEVEL) >> Direction: 0x1 (INBOUND) >> Attributes: 0x8 (FOREST_TRANSITIVE) >> PosixOffset: 0x00000000 (0) >> kerb_EncTypes: 0x1c >> (RC4_HMAC_MD5,AES128_CTS_HMAC_SHA1_96,AES256_CTS_HMAC_SHA1_96) >> Namespaces[0] TDO[i.rdmedia.com]: >> > Ok, thanks. I'll look into this part of Samba code later, after Easter. > > > >> >> On 14 April 2017 at 14:07, Alexander Bokovoy <aboko...@redhat.com> wrote: >> >> On pe, 14 huhti 2017, Tiemen Ruiten wrote: >>> >>> Hello Alexander, >>>> >>>> That's strange, when I try to setup a trust with a domain that isn't a >>>> subdomain of FreeIPA, I get the same error. I reran: >>>> >>>> ipa-adtrust-install --netbios-name=IPA >>>> >>>> and then ran: >>>> >>>> ipa trust-add --type=ad office.rdmedia.com --admin Administrator >>>> --password >>>> >>>> office.rdmedia.com is Samba AD? >>> >>> Then please show output of >>> >>> samba-tool domain trust list >>> >>> and for each domain name in the output above show >>> >>> samba-tool domain trust show <name> >>> >>> >>> >>> >>> >>> Last bit of the error_log: >>>> >>>> rpc reply data: >>>> [0000] 00 00 00 00 .... >>>> lsa_lsaRSetForestTrustInformation: struct >>>> lsa_lsaRSetForestTrustInformation >>>> in: struct lsa_lsaRSetForestTrustInformation >>>> handle : * >>>> handle: struct policy_handle >>>> handle_type : 0x00000000 (0) >>>> uuid : >>>> 43cfa5e6-c10a-49a5-9b75-f7284ee44aac >>>> trusted_domain_name : * >>>> trusted_domain_name: struct lsa_StringLarge >>>> length : 0x001a (26) >>>> size : 0x001c (28) >>>> string : * >>>> string : 'i.rdmedia.com' >>>> highest_record_type : LSA_FOREST_TRUST_DOMAIN_INFO (2) >>>> forest_trust_info : * >>>> forest_trust_info: struct lsa_ForestTrustInformation >>>> count : 0x00000004 (4) >>>> entries : * >>>> entries: ARRAY(4) >>>> entries : * >>>> entries: struct lsa_ForestTrustRecord >>>> flags : 0x00000000 >>>> (0) >>>> 0: LSA_TLN_DISABLED_NEW >>>> 0: LSA_TLN_DISABLED_ADMIN >>>> 0: LSA_TLN_DISABLED_CONFLICT >>>> 0: LSA_SID_DISABLED_ADMIN >>>> 0: LSA_SID_DISABLED_CONFLICT >>>> 0: LSA_NB_DISABLED_ADMIN >>>> 0: LSA_NB_DISABLED_CONFLICT >>>> type : >>>> LSA_FOREST_TRUST_TOP_LEVEL_NAME (0) >>>> time : Mon Apr 10 >>>> 08:43:18 2017 CEST >>>> forest_trust_data : union >>>> lsa_ForestTrustData(case 0) >>>> top_level_name: struct >>>> lsa_StringLarge >>>> length : 0x002c >>>> (44) >>>> size : 0x002e >>>> (46) >>>> string : * >>>> string : ' >>>> test.ams.i.rdmedia.com' >>>> entries : * >>>> entries: struct lsa_ForestTrustRecord >>>> flags : 0x00000000 >>>> (0) >>>> 0: LSA_TLN_DISABLED_NEW >>>> 0: LSA_TLN_DISABLED_ADMIN >>>> 0: LSA_TLN_DISABLED_CONFLICT >>>> 0: LSA_SID_DISABLED_ADMIN >>>> 0: LSA_SID_DISABLED_CONFLICT >>>> 0: LSA_NB_DISABLED_ADMIN >>>> 0: LSA_NB_DISABLED_CONFLICT >>>> type : >>>> LSA_FOREST_TRUST_TOP_LEVEL_NAME (0) >>>> time : Mon Apr 10 >>>> 08:43:18 2017 CEST >>>> forest_trust_data : union >>>> lsa_ForestTrustData(case 0) >>>> top_level_name: struct >>>> lsa_StringLarge >>>> length : 0x002c >>>> (44) >>>> size : 0x002e >>>> (46) >>>> string : * >>>> string : ' >>>> prod.ams.i.rdmedia.com' >>>> entries : * >>>> entries: struct lsa_ForestTrustRecord >>>> flags : 0x00000000 >>>> (0) >>>> 0: LSA_TLN_DISABLED_NEW >>>> 0: LSA_TLN_DISABLED_ADMIN >>>> 0: LSA_TLN_DISABLED_CONFLICT >>>> 0: LSA_SID_DISABLED_ADMIN >>>> 0: LSA_SID_DISABLED_CONFLICT >>>> 0: LSA_NB_DISABLED_ADMIN >>>> 0: LSA_NB_DISABLED_CONFLICT >>>> type : >>>> LSA_FOREST_TRUST_TOP_LEVEL_NAME (0) >>>> time : Mon Apr 10 >>>> 08:43:18 2017 CEST >>>> forest_trust_data : union >>>> lsa_ForestTrustData(case 0) >>>> top_level_name: struct >>>> lsa_StringLarge >>>> length : 0x001a >>>> (26) >>>> size : 0x001c >>>> (28) >>>> string : * >>>> string : ' >>>> i.rdmedia.com' >>>> entries : * >>>> entries: struct lsa_ForestTrustRecord >>>> flags : 0x00000000 >>>> (0) >>>> 0: LSA_TLN_DISABLED_NEW >>>> 0: LSA_TLN_DISABLED_ADMIN >>>> 0: LSA_TLN_DISABLED_CONFLICT >>>> 0: LSA_SID_DISABLED_ADMIN >>>> 0: LSA_SID_DISABLED_CONFLICT >>>> 0: LSA_NB_DISABLED_ADMIN >>>> 0: LSA_NB_DISABLED_CONFLICT >>>> type : >>>> LSA_FOREST_TRUST_TOP_LEVEL_NAME (0) >>>> time : Mon Apr 10 >>>> 08:43:18 2017 CEST >>>> forest_trust_data : union >>>> lsa_ForestTrustData(case 0) >>>> top_level_name: struct >>>> lsa_StringLarge >>>> length : 0x002c >>>> (44) >>>> size : 0x002e >>>> (46) >>>> string : * >>>> string : ' >>>> prod.nyc.i.rdmedia.com' >>>> check_only : 0x00 (0) >>>> rpc request data: >>>> [0000] 00 00 00 00 E6 A5 CF 43 0A C1 A5 49 9B 75 F7 28 .......C >>>> ...I.u.( >>>> [0010] 4E E4 4A AC 1A 00 1C 00 00 00 02 00 0E 00 00 00 N.J..... >>>> ........ >>>> [0020] 00 00 00 00 0D 00 00 00 69 00 2E 00 72 00 64 00 ........ >>>> i...r.d. >>>> [0030] 6D 00 65 00 64 00 69 00 61 00 2E 00 63 00 6F 00 m.e.d.i. >>>> a...c.o. >>>> [0040] 6D 00 02 00 04 00 00 00 04 00 02 00 04 00 00 00 m....... >>>> ........ >>>> [0050] 08 00 02 00 0C 00 02 00 10 00 02 00 14 00 02 00 ........ >>>> ........ >>>> [0060] 00 00 00 00 00 00 00 00 00 C7 B7 BC C5 B1 D2 01 ........ >>>> ........ >>>> [0070] 00 00 00 00 2C 00 2E 00 18 00 02 00 17 00 00 00 ....,... >>>> ........ >>>> [0080] 00 00 00 00 16 00 00 00 74 00 65 00 73 00 74 00 ........ >>>> t.e.s.t. >>>> [0090] 2E 00 61 00 6D 00 73 00 2E 00 69 00 2E 00 72 00 ..a.m.s. >>>> ..i...r. >>>> [00A0] 64 00 6D 00 65 00 64 00 69 00 61 00 2E 00 63 00 d.m.e.d. >>>> i.a...c. >>>> [00B0] 6F 00 6D 00 00 00 00 00 00 00 00 00 00 00 00 00 o.m..... >>>> ........ >>>> [00C0] 00 C7 B7 BC C5 B1 D2 01 00 00 00 00 2C 00 2E 00 ........ >>>> ....,... >>>> [00D0] 1C 00 02 00 17 00 00 00 00 00 00 00 16 00 00 00 ........ >>>> ........ >>>> [00E0] 70 00 72 00 6F 00 64 00 2E 00 61 00 6D 00 73 00 p.r.o.d. >>>> ..a.m.s. >>>> [00F0] 2E 00 69 00 2E 00 72 00 64 00 6D 00 65 00 64 00 ..i...r. >>>> d.m.e.d. >>>> [0100] 69 00 61 00 2E 00 63 00 6F 00 6D 00 00 00 00 00 i.a...c. >>>> o.m..... >>>> [0110] 00 00 00 00 00 00 00 00 00 C7 B7 BC C5 B1 D2 01 ........ >>>> ........ >>>> [0120] 00 00 00 00 1A 00 1C 00 20 00 02 00 0E 00 00 00 ........ >>>> ....... >>>> [0130] 00 00 00 00 0D 00 00 00 69 00 2E 00 72 00 64 00 ........ >>>> i...r.d. >>>> [0140] 6D 00 65 00 64 00 69 00 61 00 2E 00 63 00 6F 00 m.e.d.i. >>>> a...c.o. >>>> [0150] 6D 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 m....... >>>> ........ >>>> [0160] 00 C7 B7 BC C5 B1 D2 01 00 00 00 00 2C 00 2E 00 ........ >>>> ....,... >>>> [0170] 24 00 02 00 17 00 00 00 00 00 00 00 16 00 00 00 $....... >>>> ........ >>>> [0180] 70 00 72 00 6F 00 64 00 2E 00 6E 00 79 00 63 00 p.r.o.d. >>>> ..n.y.c. >>>> [0190] 2E 00 69 00 2E 00 72 00 64 00 6D 00 65 00 64 00 ..i...r. >>>> d.m.e.d. >>>> [01A0] 69 00 61 00 2E 00 63 00 6F 00 6D 00 00 i.a...c. >>>> o.m.. >>>> signed SMB2 message >>>> lsa_lsaRSetForestTrustInformation: struct >>>> lsa_lsaRSetForestTrustInformation >>>> out: struct lsa_lsaRSetForestTrustInformation >>>> collision_info : * >>>> collision_info : NULL >>>> result : NT_STATUS_INVALID_PARAMETER >>>> rpc reply data: >>>> [0000] 00 00 00 00 0D 00 00 C0 ........ >>>> [Fri Apr 14 13:05:15.626311 2017] [:error] [pid 22596] ipa: ERROR: >>>> non-public: RuntimeError: (-1073741811, 'Unexpected information >>>> received') >>>> [Fri Apr 14 13:05:15.626384 2017] [:error] [pid 22596] Traceback (most >>>> recent call last): >>>> [Fri Apr 14 13:05:15.626392 2017] [:error] [pid 22596] File >>>> "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 366, in >>>> wsgi_execute >>>> [Fri Apr 14 13:05:15.626399 2017] [:error] [pid 22596] result = >>>> command(*args, **options) >>>> [Fri Apr 14 13:05:15.626405 2017] [:error] [pid 22596] File >>>> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 449, in >>>> __call__ >>>> [Fri Apr 14 13:05:15.626416 2017] [:error] [pid 22596] return >>>> self.__do_call(*args, **options) >>>> [Fri Apr 14 13:05:15.626422 2017] [:error] [pid 22596] File >>>> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 477, in >>>> __do_call >>>> [Fri Apr 14 13:05:15.626428 2017] [:error] [pid 22596] ret = >>>> self.run(*args, **options) >>>> [Fri Apr 14 13:05:15.626434 2017] [:error] [pid 22596] File >>>> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 799, in run >>>> [Fri Apr 14 13:05:15.626439 2017] [:error] [pid 22596] return >>>> self.execute(*args, **options) >>>> [Fri Apr 14 13:05:15.626445 2017] [:error] [pid 22596] File >>>> "/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line >>>> 739, >>>> in >>>> execute >>>> [Fri Apr 14 13:05:15.626451 2017] [:error] [pid 22596] result = >>>> self.execute_ad(full_join, *keys, **options) >>>> [Fri Apr 14 13:05:15.626457 2017] [:error] [pid 22596] File >>>> "/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line >>>> 989, >>>> in >>>> execute_ad >>>> [Fri Apr 14 13:05:15.626463 2017] [:error] [pid 22596] trust_type >>>> [Fri Apr 14 13:05:15.626468 2017] [:error] [pid 22596] File >>>> "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1683, in >>>> join_ad_full_credentials >>>> [Fri Apr 14 13:05:15.626474 2017] [:error] [pid 22596] trust_type, >>>> trust_external) >>>> [Fri Apr 14 13:05:15.626479 2017] [:error] [pid 22596] File >>>> "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1363, in >>>> establish_trust >>>> [Fri Apr 14 13:05:15.626485 2017] [:error] [pid 22596] >>>> self.update_ftinfo(another_domain) >>>> [Fri Apr 14 13:05:15.626490 2017] [:error] [pid 22596] File >>>> "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1252, in >>>> update_ftinfo >>>> [Fri Apr 14 13:05:15.626495 2017] [:error] [pid 22596] ftinfo, 0) >>>> [Fri Apr 14 13:05:15.626500 2017] [:error] [pid 22596] RuntimeError: >>>> (-1073741811, 'Unexpected information received') >>>> [Fri Apr 14 13:05:15.627265 2017] [:error] [pid 22596] ipa: INFO: >>>> [jsonserver_session] ad...@i.rdmedia.com: >>>> trust_add/1(u'office.rdmedia.c >>>> om', >>>> trust_type=u'ad', realm_admin=u'Administrator', >>>> realm_passwd=u'********', >>>> version=u'2.213'): RuntimeError >>>> >>>> >>>> >>>> On 14 April 2017 at 10:23, Alexander Bokovoy <aboko...@redhat.com> >>>> wrote: >>>> >>>> On to, 13 huhti 2017, Alexander Bokovoy wrote: >>>> >>>>> >>>>> On Thu, 13 Apr 2017, Tiemen Ruiten wrote: >>>>> >>>>>> >>>>>> Excerpt from the httpd error_log on the FreeIPA replica: >>>>>> >>>>>>> >>>>>>> [Thu Apr 13 11:17:44.072996 2017] [:error] [pid 28346] ipa: INFO: >>>>>>> [jsonserver_kerb] ad...@i.rdmedia.com: ping(): SUCCESS >>>>>>> [Thu Apr 13 11:17:50.708019 2017] [:error] [pid 28347] ipa: ERROR: >>>>>>> non-public: RuntimeError: (-1073741811, 'Unexpected information >>>>>>> received') >>>>>>> >>>>>>> Please add 'log level = 10' to /usr/share/ipa/smb.conf.empty and >>>>>>> re-try >>>>>>> >>>>>> 'ipa trust-add', then send me resulting error_log privately. >>>>>> >>>>>> To get back to the public mailing list, Tiemen sent me logs and I >>>>>> >>>>> confirm that this is the same as https://bugzilla.redhat.com/sh >>>>> ow_bug.cgi?id=1421869 >>>>> >>>>> We currently have no solution to this problem (AD is subdomain of IPA >>>>> domain). >>>>> >>>>> -- >>>>> / Alexander Bokovoy >>>>> >>>>> >>>>> >>>> >>>> -- >>>> Tiemen Ruiten >>>> Systems Engineer >>>> R&D Media >>>> >>>> >>> -- >>> / Alexander Bokovoy >>> >>> >> >> >> -- >> Tiemen Ruiten >> Systems Engineer >> R&D Media >> > > -- > / Alexander Bokovoy > -- Tiemen Ruiten Systems Engineer R&D Media
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project