Hello, I had to reinstall our IPA server since we had Filesystem corruption beyond repair on it.
After the reinstall (with ipa-replica-install) AD Trust does not seems to be working anymore. I tried to delete the trust and them re add it but there's no effect. Here's the outputs: [root@idm1 ~]# ipa-adtrust-install --add-agents The log file for this installation can be found in /var/log/ipaserver-adtrust-install.log ============================================================================== This program will setup components needed to establish trust to AD domains for the IPA Server. This includes: * Configure Samba * Add trust related objects to IPA LDAP server To accept the default shown in brackets, press the Enter key. Configuring cross-realm trusts for IPA server requires password for user 'admin'. This user is a regular system account used for IPA server administration. admin password: IPA generated smb.conf detected. Overwrite smb.conf? [no]: yes Do you want to enable support for trusted domains in Schema Compatibility plugin? This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users. Enable trusted domains support in slapi-nis? [no]: yes The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring CIFS [1/24]: validate server hostname [2/24]: stopping smbd [3/24]: creating samba domain object Samba domain object already exists [4/24]: retrieve local idmap range [5/24]: writing samba config file [6/24]: creating samba config registry [7/24]: adding cifs Kerberos principal [8/24]: adding cifs and host Kerberos principals to the adtrust agents group [9/24]: check for cifs services defined on other replicas [10/24]: adding cifs principal to S4U2Proxy targets cifs principal already targeted, nothing to do. [11/24]: adding admin(group) SIDs Admin SID already set, nothing to do Admin group SID already set, nothing to do [12/24]: adding RID bases RID bases already set, nothing to do [13/24]: updating Kerberos config 'dns_lookup_kdc' already set to 'true', nothing to do. [14/24]: activating CLDAP plugin CLDAP plugin already configured, nothing to do [15/24]: activating sidgen task Sidgen task plugin already configured, nothing to do [16/24]: map BUILTIN\Guests to nobody group [17/24]: configuring smbd to start on boot [18/24]: enabling trusted domains support for older clients via Schema Compatibility plugin [19/24]: restarting Directory Server to take MS PAC and LDAP plugins changes into account [20/24]: adding fallback group Fallback group already set, nothing to do [21/24]: adding Default Trust View Default Trust View already exists. [22/24]: setting SELinux booleans [23/24]: starting CIFS services [24/24]: restarting smbd Done configuring CIFS. ============================================================================= Setup complete You must make sure these network ports are open: TCP Ports: * 135: epmap * 138: netbios-dgm * 139: netbios-ssn * 445: microsoft-ds * 1024..1300: epmap listener range * 3268: msft-gc UDP Ports: * 138: netbios-dgm * 139: netbios-ssn * 389: (C)LDAP * 445: microsoft-ds See the ipa-adtrust-install(1) man page for more details ============================================================================= Doing the trust add since the last command didn't added it: [root@idm1 ~]# ipa trust-add win.versatushpc.com.br<http://win.versatushpc.com.br> Active Directory domain administrator: Administrator Active Directory domain administrator's password: --------------------------------------------------------------- Added Active Directory trust for realm "win.versatushpc.com.br<http://win.versatushpc.com.br>" --------------------------------------------------------------- Realm name: win.versatushpc.com.br<http://win.versatushpc.com.br> Domain NetBIOS name: VersatusHPC Domain Security Identifier: S-1-5-21-3644117338-1171143469-618167831 Trust direction: Trusting forest Trust type: Active Directory domain Trust status: Established and verified Fetch domains return 0: [root@idm1 ~]# ipa trust-fetch-domains win.versatushpc.com.br<http://win.versatushpc.com.br> ---------------------------------------------------------------------------------------- List of trust domains successfully refreshed. Use trustdomain-find command to list them. ---------------------------------------------------------------------------------------- ---------------------------- Number of entries returned 0 ---------------------------- But trustdomain-find is able to find the domain: [root@idm1 ~]# ipa trustdomain-find Realm name: win.versatushpc.com.br<http://win.versatushpc.com.br> Domain name: win.versatushpc.com.br<http://win.versatushpc.com.br> Domain NetBIOS name: VersatusHPC Domain Security Identifier: S-1-5-21-3644117338-1171143469-618167831 Domain enabled: True ---------------------------- Number of entries returned 1 ---------------------------- Healthcheck complains about those issues: [root@idm1 ~]# ipa-healthcheck --all --output-type human | grep -v SUCCESS WARNING: ipahealthcheck.ipa.trust.IPATrustCatalogCheck.S-1-5-21-3644117338-1171143469-618167831: Look up of S-1-5-21-3644117338-1171143469-618167831 returned nothing ERROR: ipahealthcheck.ipa.trust.IPATrustCatalogCheck.AD Global Catalog: AD Global Catalog not found in /usr/sbin/sssctl 'domain-status' output: Active servers: IPA: idm1.nix.versatushpc.com.br<http://idm1.nix.versatushpc.com.br> ERROR: ipahealthcheck.ipa.trust.IPATrustCatalogCheck.AD Domain Controller: AD Domain Controller not found in /usr/sbin/sssctl 'domain-status' output: Active servers: IPA: idm1.nix.versatushpc.com.br<http://idm1.nix.versatushpc.com.br> And finally we had an DNA Range issue, but I was able to solve it with this guide: https://rcritten.wordpress.com/2015/01/05/freeipa-and-no-dna-range/ [root@idm2 ~]# ipa-replica-manage dnarange-show idm1.nix.versatushpc.com.br<http://idm1.nix.versatushpc.com.br>: 1278400006-1278499999 idm2.nix.versatushpc.com.br<http://idm2.nix.versatushpc.com.br>: 1278400000-1278499999 Seems to be OK, I think... I'm running IPA on RHEL 8.4. If it's easier to just remove IPA and reinstall from scratch, that's OK. This is a development system, the same goes for the Windows domain. Thank you all.
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
