Discussion:
[Freeipa-users] add trust between FreeIPA and Samba AD DC
Tiemen Ruiten
2017-04-13 14:51:25 UTC
Permalink
Apologies, now with proper subject.
Hello!
As I understand from this
<https://www.redhat.com/archives/freeipa-users/2016-October/msg00147.html> thread,
it should be possible to setup a trust between FreeIPA and Samba4. My AD
domain is clients.i.rdmedia.com, it's a subdomain of my FreeIPA domain,
i.rdmedia.com. Therefore I added a global forwarder on the Samba AD DC to
one of the FreeIPA replica's and lookup of SRV records in both domains
appears to work.
However when I try to add the trust I get "ipa: ERROR an internal error
has occurred". I ran the trust-add command with full debug logging as
described on https://www.freeipa.org/page/Active_Directory_trust_setup#
Debugging_trust, so I can provide these logs privately upon request.
I suspect some DNS-issue, as right after I try to setup the trust, dynamic
tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor
code may provide more information, Minor = Server DNS/fluorine.clients.i.
Failed nsupdate: 1
update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._
sites.ForestDnsZones.clients.i.rdmedia.com fluorine.clients.i.rdmedia.com
389
Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._
sites.ForestDnsZones.clients.i.rdmedia.com fluorine.clients.i.rdmedia.com
389 (add)
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.
clients.i.rdmedia.com. 900 IN SRV 0 100 389 fluorine.clients.i.rdmedia.com
.
Many thanks in advance for your assistance.
--
Tiemen Ruiten
Systems Engineer
R&D Media
--
Tiemen Ruiten
Systems Engineer
R&D Media
Alexander Bokovoy
2017-04-13 15:09:52 UTC
Permalink
Post by Tiemen Ruiten
Apologies, now with proper subject.
Hello!
As I understand from this
<https://www.redhat.com/archives/freeipa-users/2016-October/msg00147.html> thread,
it should be possible to setup a trust between FreeIPA and Samba4. My AD
domain is clients.i.rdmedia.com, it's a subdomain of my FreeIPA domain,
i.rdmedia.com. Therefore I added a global forwarder on the Samba AD DC to
one of the FreeIPA replica's and lookup of SRV records in both domains
appears to work.
However when I try to add the trust I get "ipa: ERROR an internal error
has occurred". I ran the trust-add command with full debug logging as
described on https://www.freeipa.org/page/Active_Directory_trust_setup#
Debugging_trust, so I can provide these logs privately upon request.
I suspect some DNS-issue, as right after I try to setup the trust, dynamic
tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor
code may provide more information, Minor = Server DNS/fluorine.clients.i.
Failed nsupdate: 1
update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._
sites.ForestDnsZones.clients.i.rdmedia.com fluorine.clients.i.rdmedia.com
389
Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._
sites.ForestDnsZones.clients.i.rdmedia.com fluorine.clients.i.rdmedia.com
389 (add)
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.
clients.i.rdmedia.com. 900 IN SRV 0 100 389 fluorine.clients.i.rdmedia.com
.
Many thanks in advance for your assistance.
It would help if you would provide more details on your setup. The above
doesn't give a clue on:
- what are FreeIPA and Samba AD DC versions
- on what OS versions they run, correspondingly
- what DNS zones each of them control
- what commands did you run
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Tiemen Ruiten
2017-04-13 16:08:50 UTC
Permalink
Of course:

FreeIPA versions:
[***@ipa-ams-01 samba]# rpm -qa | grep ipa
libipa_hbac-1.14.0-43.el7_3.14.x86_64
sssd-ipa-1.14.0-43.el7_3.14.x86_64
python2-ipaclient-4.4.0-14.el7.centos.7.noarch
ipa-server-trust-ad-4.4.0-14.el7.centos.7.x86_64
ipa-client-common-4.4.0-14.el7.centos.7.noarch
python-iniparse-0.4-9.el7.noarch
python-libipa_hbac-1.14.0-43.el7_3.14.x86_64
python2-ipalib-4.4.0-14.el7.centos.7.noarch
ipa-admintools-4.4.0-14.el7.centos.7.noarch
ipa-server-common-4.4.0-14.el7.centos.7.noarch
ipa-server-4.4.0-14.el7.centos.7.x86_64
ipa-server-dns-4.4.0-14.el7.centos.7.noarch
python-ipaddress-1.0.16-2.el7.noarch
ipa-client-4.4.0-14.el7.centos.7.x86_64
python2-ipaserver-4.4.0-14.el7.centos.7.noarch
ipa-common-4.4.0-14.el7.centos.7.noarch

Samba AD DC versions:
Also CentOS 7, Samba 4.6.2, built from source, configure with one option:
--with-systemd

FreeIPA controls i.rdmedia.com, prod.ams.i.rdmedia.com,
test.ams.i.rdmedia.com and prod.nyc.i.rdmedia.com.
AD controls only clients.i.rdmedia.com and forwards all other DNS queries
to ipa-ams-01.

Samba uses the BIND9_DLZ backend for DNS.

Regarding the commands run: After provisioning the AD domain, I followed
this <https://www.freeipa.org/page/Active_Directory_trust_setup> guide,
except I set up the global forwarder in /etc/named.conf manually.

I got the "ipa: ERROR an internal error has occurred" after running:

ipa trust-add --type=ad clients.i.rdmedia.com --admin Administrator
--password
Post by Alexander Bokovoy
Post by Tiemen Ruiten
Apologies, now with proper subject.
Hello!
As I understand from this
<https://www.redhat.com/archives/freeipa-users/2016-October/
msg00147.html> thread,
it should be possible to setup a trust between FreeIPA and Samba4. My AD
domain is clients.i.rdmedia.com, it's a subdomain of my FreeIPA domain,
i.rdmedia.com. Therefore I added a global forwarder on the Samba AD DC to
one of the FreeIPA replica's and lookup of SRV records in both domains
appears to work.
However when I try to add the trust I get "ipa: ERROR an internal error
has occurred". I ran the trust-add command with full debug logging as
described on https://www.freeipa.org/page/Active_Directory_trust_setup#
Debugging_trust, so I can provide these logs privately upon request.
I suspect some DNS-issue, as right after I try to setup the trust, dynamic
tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor
code may provide more information, Minor = Server DNS/fluorine.clients.i.
Failed nsupdate: 1
update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._
sites.ForestDnsZones.clients.i.rdmedia.com
fluorine.clients.i.rdmedia.com
389
Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._
sites.ForestDnsZones.clients.i.rdmedia.com
fluorine.clients.i.rdmedia.com
389 (add)
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.
clients.i.rdmedia.com. 900 IN SRV 0 100 389
fluorine.clients.i.rdmedia.com
.
Many thanks in advance for your assistance.
It would help if you would provide more details on your setup. The above
- what are FreeIPA and Samba AD DC versions
- on what OS versions they run, correspondingly
- what DNS zones each of them control
- what commands did you run
--
/ Alexander Bokovoy
--
Tiemen Ruiten
Systems Engineer
R&D Media
Tiemen Ruiten
2017-04-13 16:14:45 UTC
Permalink
Excerpt from the httpd error_log on the FreeIPA replica:

[Thu Apr 13 11:17:44.072996 2017] [:error] [pid 28346] ipa: INFO:
[jsonserver_kerb] ***@I.RDMEDIA.COM: ping(): SUCCESS
[Thu Apr 13 11:17:50.708019 2017] [:error] [pid 28347] ipa: ERROR:
non-public: RuntimeError: (-1073741811, 'Unexpected information received')
[Thu Apr 13 11:17:50.708121 2017] [:error] [pid 28347] Traceback (most
recent call last):
[Thu Apr 13 11:17:50.708132 2017] [:error] [pid 28347] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 366, in
wsgi_execute
[Thu Apr 13 11:17:50.708140 2017] [:error] [pid 28347] result =
command(*args, **options)
[Thu Apr 13 11:17:50.708147 2017] [:error] [pid 28347] File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 449, in __call__
[Thu Apr 13 11:17:50.708154 2017] [:error] [pid 28347] return
self.__do_call(*args, **options)
[Thu Apr 13 11:17:50.708161 2017] [:error] [pid 28347] File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 477, in
__do_call
[Thu Apr 13 11:17:50.708168 2017] [:error] [pid 28347] ret =
self.run(*args, **options)
[Thu Apr 13 11:17:50.708213 2017] [:error] [pid 28347] File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 799, in run
[Thu Apr 13 11:17:50.708223 2017] [:error] [pid 28347] return
self.execute(*args, **options)
[Thu Apr 13 11:17:50.708229 2017] [:error] [pid 28347] File
"/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 739, in
execute
[Thu Apr 13 11:17:50.708237 2017] [:error] [pid 28347] result =
self.execute_ad(full_join, *keys, **options)
[Thu Apr 13 11:17:50.708244 2017] [:error] [pid 28347] File
"/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 989, in
execute_ad
[Thu Apr 13 11:17:50.708258 2017] [:error] [pid 28347] trust_type
[Thu Apr 13 11:17:50.708265 2017] [:error] [pid 28347] File
"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1683, in
join_ad_full_credentials
[Thu Apr 13 11:17:50.708272 2017] [:error] [pid 28347] trust_type,
trust_external)
[Thu Apr 13 11:17:50.708279 2017] [:error] [pid 28347] File
"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1363, in
establish_trust
[Thu Apr 13 11:17:50.708285 2017] [:error] [pid 28347]
self.update_ftinfo(another_domain)
[Thu Apr 13 11:17:50.708292 2017] [:error] [pid 28347] File
"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1252, in
update_ftinfo
[Thu Apr 13 11:17:50.708299 2017] [:error] [pid 28347] ftinfo, 0)
[Thu Apr 13 11:17:50.708305 2017] [:error] [pid 28347] RuntimeError:
(-1073741811, 'Unexpected information received')
[Thu Apr 13 11:17:50.709161 2017] [:error] [pid 28347] ipa: INFO:
[jsonserver_kerb] ***@I.RDMEDIA.COM: trust_add/1(u'clients.i.rdmedia.com',
trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********',
version=u'2.213'): RuntimeError
Post by Tiemen Ruiten
libipa_hbac-1.14.0-43.el7_3.14.x86_64
sssd-ipa-1.14.0-43.el7_3.14.x86_64
python2-ipaclient-4.4.0-14.el7.centos.7.noarch
ipa-server-trust-ad-4.4.0-14.el7.centos.7.x86_64
ipa-client-common-4.4.0-14.el7.centos.7.noarch
python-iniparse-0.4-9.el7.noarch
python-libipa_hbac-1.14.0-43.el7_3.14.x86_64
python2-ipalib-4.4.0-14.el7.centos.7.noarch
ipa-admintools-4.4.0-14.el7.centos.7.noarch
ipa-server-common-4.4.0-14.el7.centos.7.noarch
ipa-server-4.4.0-14.el7.centos.7.x86_64
ipa-server-dns-4.4.0-14.el7.centos.7.noarch
python-ipaddress-1.0.16-2.el7.noarch
ipa-client-4.4.0-14.el7.centos.7.x86_64
python2-ipaserver-4.4.0-14.el7.centos.7.noarch
ipa-common-4.4.0-14.el7.centos.7.noarch
--with-systemd
FreeIPA controls i.rdmedia.com, prod.ams.i.rdmedia.com,
test.ams.i.rdmedia.com and prod.nyc.i.rdmedia.com.
AD controls only clients.i.rdmedia.com and forwards all other DNS queries
to ipa-ams-01.
Samba uses the BIND9_DLZ backend for DNS.
Regarding the commands run: After provisioning the AD domain, I followed
this <https://www.freeipa.org/page/Active_Directory_trust_setup> guide,
except I set up the global forwarder in /etc/named.conf manually.
ipa trust-add --type=ad clients.i.rdmedia.com --admin Administrator
--password
Post by Alexander Bokovoy
Post by Tiemen Ruiten
Apologies, now with proper subject.
Hello!
As I understand from this
<https://www.redhat.com/archives/freeipa-users/2016-October/
msg00147.html> thread,
it should be possible to setup a trust between FreeIPA and Samba4. My AD
domain is clients.i.rdmedia.com, it's a subdomain of my FreeIPA domain,
i.rdmedia.com. Therefore I added a global forwarder on the Samba AD DC to
one of the FreeIPA replica's and lookup of SRV records in both domains
appears to work.
However when I try to add the trust I get "ipa: ERROR an internal error
has occurred". I ran the trust-add command with full debug logging as
described on https://www.freeipa.org/page/Active_Directory_trust_setup#
Debugging_trust, so I can provide these logs privately upon request.
I suspect some DNS-issue, as right after I try to setup the trust, dynamic
tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor
code may provide more information, Minor = Server
DNS/fluorine.clients.i.
Failed nsupdate: 1
update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._
sites.ForestDnsZones.clients.i.rdmedia.com
fluorine.clients.i.rdmedia.com
389
Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._
sites.ForestDnsZones.clients.i.rdmedia.com
fluorine.clients.i.rdmedia.com
389 (add)
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.
clients.i.rdmedia.com. 900 IN SRV 0 100 389
fluorine.clients.i.rdmedia.com
.
Many thanks in advance for your assistance.
It would help if you would provide more details on your setup. The above
- what are FreeIPA and Samba AD DC versions
- on what OS versions they run, correspondingly
- what DNS zones each of them control
- what commands did you run
--
/ Alexander Bokovoy
--
Tiemen Ruiten
Systems Engineer
R&D Media
--
Tiemen Ruiten
Systems Engineer
R&D Media
Alexander Bokovoy
2017-04-13 19:44:06 UTC
Permalink
Post by Tiemen Ruiten
non-public: RuntimeError: (-1073741811, 'Unexpected information received')
Please add 'log level = 10' to /usr/share/ipa/smb.conf.empty and re-try
'ipa trust-add', then send me resulting error_log privately.
Post by Tiemen Ruiten
[Thu Apr 13 11:17:50.708121 2017] [:error] [pid 28347] Traceback (most
[Thu Apr 13 11:17:50.708132 2017] [:error] [pid 28347] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 366, in
wsgi_execute
[Thu Apr 13 11:17:50.708140 2017] [:error] [pid 28347] result =
command(*args, **options)
[Thu Apr 13 11:17:50.708147 2017] [:error] [pid 28347] File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 449, in __call__
[Thu Apr 13 11:17:50.708154 2017] [:error] [pid 28347] return
self.__do_call(*args, **options)
[Thu Apr 13 11:17:50.708161 2017] [:error] [pid 28347] File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 477, in
__do_call
[Thu Apr 13 11:17:50.708168 2017] [:error] [pid 28347] ret =
self.run(*args, **options)
[Thu Apr 13 11:17:50.708213 2017] [:error] [pid 28347] File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 799, in run
[Thu Apr 13 11:17:50.708223 2017] [:error] [pid 28347] return
self.execute(*args, **options)
[Thu Apr 13 11:17:50.708229 2017] [:error] [pid 28347] File
"/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 739, in
execute
[Thu Apr 13 11:17:50.708237 2017] [:error] [pid 28347] result =
self.execute_ad(full_join, *keys, **options)
[Thu Apr 13 11:17:50.708244 2017] [:error] [pid 28347] File
"/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 989, in
execute_ad
[Thu Apr 13 11:17:50.708258 2017] [:error] [pid 28347] trust_type
[Thu Apr 13 11:17:50.708265 2017] [:error] [pid 28347] File
"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1683, in
join_ad_full_credentials
[Thu Apr 13 11:17:50.708272 2017] [:error] [pid 28347] trust_type,
trust_external)
[Thu Apr 13 11:17:50.708279 2017] [:error] [pid 28347] File
"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1363, in
establish_trust
[Thu Apr 13 11:17:50.708285 2017] [:error] [pid 28347]
self.update_ftinfo(another_domain)
[Thu Apr 13 11:17:50.708292 2017] [:error] [pid 28347] File
"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1252, in
update_ftinfo
[Thu Apr 13 11:17:50.708299 2017] [:error] [pid 28347] ftinfo, 0)
(-1073741811, 'Unexpected information received')
trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********',
version=u'2.213'): RuntimeError
Post by Tiemen Ruiten
libipa_hbac-1.14.0-43.el7_3.14.x86_64
sssd-ipa-1.14.0-43.el7_3.14.x86_64
python2-ipaclient-4.4.0-14.el7.centos.7.noarch
ipa-server-trust-ad-4.4.0-14.el7.centos.7.x86_64
ipa-client-common-4.4.0-14.el7.centos.7.noarch
python-iniparse-0.4-9.el7.noarch
python-libipa_hbac-1.14.0-43.el7_3.14.x86_64
python2-ipalib-4.4.0-14.el7.centos.7.noarch
ipa-admintools-4.4.0-14.el7.centos.7.noarch
ipa-server-common-4.4.0-14.el7.centos.7.noarch
ipa-server-4.4.0-14.el7.centos.7.x86_64
ipa-server-dns-4.4.0-14.el7.centos.7.noarch
python-ipaddress-1.0.16-2.el7.noarch
ipa-client-4.4.0-14.el7.centos.7.x86_64
python2-ipaserver-4.4.0-14.el7.centos.7.noarch
ipa-common-4.4.0-14.el7.centos.7.noarch
--with-systemd
FreeIPA controls i.rdmedia.com, prod.ams.i.rdmedia.com,
test.ams.i.rdmedia.com and prod.nyc.i.rdmedia.com.
AD controls only clients.i.rdmedia.com and forwards all other DNS queries
to ipa-ams-01.
Samba uses the BIND9_DLZ backend for DNS.
Regarding the commands run: After provisioning the AD domain, I followed
this <https://www.freeipa.org/page/Active_Directory_trust_setup> guide,
except I set up the global forwarder in /etc/named.conf manually.
ipa trust-add --type=ad clients.i.rdmedia.com --admin Administrator
--password
Post by Alexander Bokovoy
Post by Tiemen Ruiten
Apologies, now with proper subject.
Hello!
As I understand from this
<https://www.redhat.com/archives/freeipa-users/2016-October/
msg00147.html> thread,
it should be possible to setup a trust between FreeIPA and Samba4. My AD
domain is clients.i.rdmedia.com, it's a subdomain of my FreeIPA domain,
i.rdmedia.com. Therefore I added a global forwarder on the Samba AD DC to
one of the FreeIPA replica's and lookup of SRV records in both domains
appears to work.
However when I try to add the trust I get "ipa: ERROR an internal error
has occurred". I ran the trust-add command with full debug logging as
described on https://www.freeipa.org/page/Active_Directory_trust_setup#
Debugging_trust, so I can provide these logs privately upon request.
I suspect some DNS-issue, as right after I try to setup the trust, dynamic
tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor
code may provide more information, Minor = Server
DNS/fluorine.clients.i.
Failed nsupdate: 1
update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._
sites.ForestDnsZones.clients.i.rdmedia.com
fluorine.clients.i.rdmedia.com
389
Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._
sites.ForestDnsZones.clients.i.rdmedia.com
fluorine.clients.i.rdmedia.com
389 (add)
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.
clients.i.rdmedia.com. 900 IN SRV 0 100 389
fluorine.clients.i.rdmedia.com
.
Many thanks in advance for your assistance.
It would help if you would provide more details on your setup. The above
- what are FreeIPA and Samba AD DC versions
- on what OS versions they run, correspondingly
- what DNS zones each of them control
- what commands did you run
--
/ Alexander Bokovoy
--
Tiemen Ruiten
Systems Engineer
R&D Media
--
Tiemen Ruiten
Systems Engineer
R&D Media
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Alexander Bokovoy
2017-04-14 08:23:27 UTC
Permalink
Post by Alexander Bokovoy
Post by Tiemen Ruiten
non-public: RuntimeError: (-1073741811, 'Unexpected information received')
Please add 'log level = 10' to /usr/share/ipa/smb.conf.empty and re-try
'ipa trust-add', then send me resulting error_log privately.
To get back to the public mailing list, Tiemen sent me logs and I
confirm that this is the same as https://bugzilla.redhat.com/show_bug.cgi?id=1421869

We currently have no solution to this problem (AD is subdomain of IPA
domain).
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Tiemen Ruiten
2017-04-28 10:09:18 UTC
Permalink
Hello,

I set up a fresh Windows Server 2012R2 instance, configured a new forest
named 'clients.rdmedia.com' and I'm getting the same error in the httpd
error_log after running 'ipa trust-add clients.rdmedia.com --type=ad
--admin=Administrator --password':

[Fri Apr 28 12:05:00.420174 2017] [:error] [pid 26417] ipa: ERROR:
non-public: RuntimeError: (-1073741811, 'Unexpected information received')
[Fri Apr 28 12:05:00.420225 2017] [:error] [pid 26417] Traceback (most
recent call last):
[Fri Apr 28 12:05:00.420230 2017] [:error] [pid 26417] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 366, in
wsgi_execute
[Fri Apr 28 12:05:00.420235 2017] [:error] [pid 26417] result =
command(*args, **options)
[Fri Apr 28 12:05:00.420239 2017] [:error] [pid 26417] File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 449, in __call__
[Fri Apr 28 12:05:00.420243 2017] [:error] [pid 26417] return
self.__do_call(*args, **options)
[Fri Apr 28 12:05:00.420247 2017] [:error] [pid 26417] File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 477, in
__do_call
[Fri Apr 28 12:05:00.420251 2017] [:error] [pid 26417] ret =
self.run(*args, **options)
[Fri Apr 28 12:05:00.420255 2017] [:error] [pid 26417] File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 799, in run
[Fri Apr 28 12:05:00.420258 2017] [:error] [pid 26417] return
self.execute(*args, **options)
[Fri Apr 28 12:05:00.420262 2017] [:error] [pid 26417] File
"/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 739, in
execute
[Fri Apr 28 12:05:00.420267 2017] [:error] [pid 26417] result =
self.execute_ad(full_join, *keys, **options)
[Fri Apr 28 12:05:00.420297 2017] [:error] [pid 26417] File
"/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 989, in
execute_ad
[Fri Apr 28 12:05:00.420304 2017] [:error] [pid 26417] trust_type
[Fri Apr 28 12:05:00.420308 2017] [:error] [pid 26417] File
"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1683, in
join_ad_full_credentials
[Fri Apr 28 12:05:00.420312 2017] [:error] [pid 26417] trust_type,
trust_external)
[Fri Apr 28 12:05:00.420316 2017] [:error] [pid 26417] File
"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1363, in
establish_trust
[Fri Apr 28 12:05:00.420320 2017] [:error] [pid 26417]
self.update_ftinfo(another_domain)
[Fri Apr 28 12:05:00.420324 2017] [:error] [pid 26417] File
"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1252, in
update_ftinfo
[Fri Apr 28 12:05:00.420328 2017] [:error] [pid 26417] ftinfo, 0)
[Fri Apr 28 12:05:00.420331 2017] [:error] [pid 26417] RuntimeError:
(-1073741811, 'Unexpected information received')
[Fri Apr 28 12:05:00.420975 2017] [:error] [pid 26417] ipa: INFO:
[jsonserver_session] ***@I.RDMEDIA.COM: trust_add/1(u'clients.rdmedia.com',
trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********',
version=u'2.213'): RuntimeError

Am I doing something wrong? Logs are ofcourse available privately on
request.
Yes, office.rdmedia.com is the Samba AD domain.
Type[Forest] Transitive[Yes] Direction[INCOMING] Name[i.rdmedia.com]
LocalDomain Netbios[OFFICE] DNS[office.rdmedia.com]
SID[S-1-5-21-482924559-3201240232-3198541477]
NetbiosName: IPA
DnsName: i.rdmedia.com
SID: S-1-5-21-3716778977-2487905546-4034507762
Type: 0x2 (UPLEVEL)
Direction: 0x1 (INBOUND)
Attributes: 0x8 (FOREST_TRANSITIVE)
PosixOffset: 0x00000000 (0)
kerb_EncTypes: 0x1c
(RC4_HMAC_MD5,AES128_CTS_HMAC_SHA1_96,AES256_CTS_HMAC_SHA1_96)
Ok, thanks. I'll look into this part of Samba code later, after Easter.
Hello Alexander,
That's strange, when I try to setup a trust with a domain that isn't a
ipa-adtrust-install --netbios-name=IPA
ipa trust-add --type=ad office.rdmedia.com --admin Administrator
--password
office.rdmedia.com is Samba AD?
Then please show output of
samba-tool domain trust list
and for each domain name in the output above show
samba-tool domain trust show <name>
[0000] 00 00 00 00 ....
lsa_lsaRSetForestTrustInformation: struct
lsa_lsaRSetForestTrustInformation
in: struct lsa_lsaRSetForestTrustInformation
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
43cfa5e6-c10a-49a5-9b75-f7284ee44aac
trusted_domain_name : *
trusted_domain_name: struct lsa_StringLarge
length : 0x001a (26)
size : 0x001c (28)
string : *
string : 'i.rdmedia.com'
highest_record_type : LSA_FOREST_TRUST_DOMAIN_INFO (2)
forest_trust_info : *
forest_trust_info: struct lsa_ForestTrustInformation
count : 0x00000004 (4)
entries : *
entries: ARRAY(4)
entries : *
entries: struct lsa_ForestTrustRecord
flags : 0x00000000
(0)
0: LSA_TLN_DISABLED_NEW
0: LSA_TLN_DISABLED_ADMIN
0: LSA_TLN_DISABLED_CONFLICT
0: LSA_SID_DISABLED_ADMIN
0: LSA_SID_DISABLED_CONFLICT
0: LSA_NB_DISABLED_ADMIN
0: LSA_NB_DISABLED_CONFLICT
LSA_FOREST_TRUST_TOP_LEVEL_NAME (0)
time : Mon Apr 10
08:43:18 2017 CEST
forest_trust_data : union
lsa_ForestTrustData(case 0)
top_level_name: struct
lsa_StringLarge
length : 0x002c
(44)
size : 0x002e
(46)
string : *
string : '
test.ams.i.rdmedia.com'
entries : *
entries: struct lsa_ForestTrustRecord
flags : 0x00000000
(0)
0: LSA_TLN_DISABLED_NEW
0: LSA_TLN_DISABLED_ADMIN
0: LSA_TLN_DISABLED_CONFLICT
0: LSA_SID_DISABLED_ADMIN
0: LSA_SID_DISABLED_CONFLICT
0: LSA_NB_DISABLED_ADMIN
0: LSA_NB_DISABLED_CONFLICT
LSA_FOREST_TRUST_TOP_LEVEL_NAME (0)
time : Mon Apr 10
08:43:18 2017 CEST
forest_trust_data : union
lsa_ForestTrustData(case 0)
top_level_name: struct
lsa_StringLarge
length : 0x002c
(44)
size : 0x002e
(46)
string : *
string : '
prod.ams.i.rdmedia.com'
entries : *
entries: struct lsa_ForestTrustRecord
flags : 0x00000000
(0)
0: LSA_TLN_DISABLED_NEW
0: LSA_TLN_DISABLED_ADMIN
0: LSA_TLN_DISABLED_CONFLICT
0: LSA_SID_DISABLED_ADMIN
0: LSA_SID_DISABLED_CONFLICT
0: LSA_NB_DISABLED_ADMIN
0: LSA_NB_DISABLED_CONFLICT
LSA_FOREST_TRUST_TOP_LEVEL_NAME (0)
time : Mon Apr 10
08:43:18 2017 CEST
forest_trust_data : union
lsa_ForestTrustData(case 0)
top_level_name: struct
lsa_StringLarge
length : 0x001a
(26)
size : 0x001c
(28)
string : *
string : '
i.rdmedia.com'
entries : *
entries: struct lsa_ForestTrustRecord
flags : 0x00000000
(0)
0: LSA_TLN_DISABLED_NEW
0: LSA_TLN_DISABLED_ADMIN
0: LSA_TLN_DISABLED_CONFLICT
0: LSA_SID_DISABLED_ADMIN
0: LSA_SID_DISABLED_CONFLICT
0: LSA_NB_DISABLED_ADMIN
0: LSA_NB_DISABLED_CONFLICT
LSA_FOREST_TRUST_TOP_LEVEL_NAME (0)
time : Mon Apr 10
08:43:18 2017 CEST
forest_trust_data : union
lsa_ForestTrustData(case 0)
top_level_name: struct
lsa_StringLarge
length : 0x002c
(44)
size : 0x002e
(46)
string : *
string : '
prod.nyc.i.rdmedia.com'
check_only : 0x00 (0)
[0000] 00 00 00 00 E6 A5 CF 43 0A C1 A5 49 9B 75 F7 28 .......C
...I.u.(
[0010] 4E E4 4A AC 1A 00 1C 00 00 00 02 00 0E 00 00 00 N.J.....
........
[0020] 00 00 00 00 0D 00 00 00 69 00 2E 00 72 00 64 00 ........
i...r.d.
[0030] 6D 00 65 00 64 00 69 00 61 00 2E 00 63 00 6F 00 m.e.d.i.
a...c.o.
[0040] 6D 00 02 00 04 00 00 00 04 00 02 00 04 00 00 00 m.......
........
[0050] 08 00 02 00 0C 00 02 00 10 00 02 00 14 00 02 00 ........
........
[0060] 00 00 00 00 00 00 00 00 00 C7 B7 BC C5 B1 D2 01 ........
........
[0070] 00 00 00 00 2C 00 2E 00 18 00 02 00 17 00 00 00 ....,...
........
[0080] 00 00 00 00 16 00 00 00 74 00 65 00 73 00 74 00 ........
t.e.s.t.
[0090] 2E 00 61 00 6D 00 73 00 2E 00 69 00 2E 00 72 00 ..a.m.s.
..i...r.
[00A0] 64 00 6D 00 65 00 64 00 69 00 61 00 2E 00 63 00 d.m.e.d.
i.a...c.
[00B0] 6F 00 6D 00 00 00 00 00 00 00 00 00 00 00 00 00 o.m.....
........
[00C0] 00 C7 B7 BC C5 B1 D2 01 00 00 00 00 2C 00 2E 00 ........
....,...
[00D0] 1C 00 02 00 17 00 00 00 00 00 00 00 16 00 00 00 ........
........
[00E0] 70 00 72 00 6F 00 64 00 2E 00 61 00 6D 00 73 00 p.r.o.d.
..a.m.s.
[00F0] 2E 00 69 00 2E 00 72 00 64 00 6D 00 65 00 64 00 ..i...r.
d.m.e.d.
[0100] 69 00 61 00 2E 00 63 00 6F 00 6D 00 00 00 00 00 i.a...c.
o.m.....
[0110] 00 00 00 00 00 00 00 00 00 C7 B7 BC C5 B1 D2 01 ........
........
[0120] 00 00 00 00 1A 00 1C 00 20 00 02 00 0E 00 00 00 ........
.......
[0130] 00 00 00 00 0D 00 00 00 69 00 2E 00 72 00 64 00 ........
i...r.d.
[0140] 6D 00 65 00 64 00 69 00 61 00 2E 00 63 00 6F 00 m.e.d.i.
a...c.o.
[0150] 6D 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 m.......
........
[0160] 00 C7 B7 BC C5 B1 D2 01 00 00 00 00 2C 00 2E 00 ........
....,...
[0170] 24 00 02 00 17 00 00 00 00 00 00 00 16 00 00 00 $.......
........
[0180] 70 00 72 00 6F 00 64 00 2E 00 6E 00 79 00 63 00 p.r.o.d.
..n.y.c.
[0190] 2E 00 69 00 2E 00 72 00 64 00 6D 00 65 00 64 00 ..i...r.
d.m.e.d.
[01A0] 69 00 61 00 2E 00 63 00 6F 00 6D 00 00 i.a...c.
o.m..
signed SMB2 message
lsa_lsaRSetForestTrustInformation: struct
lsa_lsaRSetForestTrustInformation
out: struct lsa_lsaRSetForestTrustInformation
collision_info : *
collision_info : NULL
result : NT_STATUS_INVALID_PARAMETER
[0000] 00 00 00 00 0D 00 00 C0 ........
non-public: RuntimeError: (-1073741811, 'Unexpected information received')
[Fri Apr 14 13:05:15.626384 2017] [:error] [pid 22596] Traceback (most
[Fri Apr 14 13:05:15.626392 2017] [:error] [pid 22596] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 366, in
wsgi_execute
[Fri Apr 14 13:05:15.626399 2017] [:error] [pid 22596] result =
command(*args, **options)
[Fri Apr 14 13:05:15.626405 2017] [:error] [pid 22596] File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 449, in __call__
[Fri Apr 14 13:05:15.626416 2017] [:error] [pid 22596] return
self.__do_call(*args, **options)
[Fri Apr 14 13:05:15.626422 2017] [:error] [pid 22596] File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 477, in
__do_call
[Fri Apr 14 13:05:15.626428 2017] [:error] [pid 22596] ret =
self.run(*args, **options)
[Fri Apr 14 13:05:15.626434 2017] [:error] [pid 22596] File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 799, in run
[Fri Apr 14 13:05:15.626439 2017] [:error] [pid 22596] return
self.execute(*args, **options)
[Fri Apr 14 13:05:15.626445 2017] [:error] [pid 22596] File
"/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line
739,
in
execute
[Fri Apr 14 13:05:15.626451 2017] [:error] [pid 22596] result =
self.execute_ad(full_join, *keys, **options)
[Fri Apr 14 13:05:15.626457 2017] [:error] [pid 22596] File
"/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line
989,
in
execute_ad
[Fri Apr 14 13:05:15.626463 2017] [:error] [pid 22596] trust_type
[Fri Apr 14 13:05:15.626468 2017] [:error] [pid 22596] File
"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1683, in
join_ad_full_credentials
[Fri Apr 14 13:05:15.626474 2017] [:error] [pid 22596] trust_type,
trust_external)
[Fri Apr 14 13:05:15.626479 2017] [:error] [pid 22596] File
"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1363, in
establish_trust
[Fri Apr 14 13:05:15.626485 2017] [:error] [pid 22596]
self.update_ftinfo(another_domain)
[Fri Apr 14 13:05:15.626490 2017] [:error] [pid 22596] File
"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1252, in
update_ftinfo
[Fri Apr 14 13:05:15.626495 2017] [:error] [pid 22596] ftinfo, 0)
(-1073741811, 'Unexpected information received')
trust_add/1(u'office.rdmedia.c
om',
trust_type=u'ad', realm_admin=u'Administrator',
realm_passwd=u'********',
version=u'2.213'): RuntimeError
Post by Alexander Bokovoy
Post by Alexander Bokovoy
Post by Tiemen Ruiten
non-public: RuntimeError: (-1073741811, 'Unexpected information received')
Please add 'log level = 10' to /usr/share/ipa/smb.conf.empty and re-try
'ipa trust-add', then send me resulting error_log privately.
To get back to the public mailing list, Tiemen sent me logs and I
confirm that this is the same as https://bugzilla.redhat.com/sh
ow_bug.cgi?id=1421869
We currently have no solution to this problem (AD is subdomain of IPA
domain).
--
/ Alexander Bokovoy
--
Tiemen Ruiten
Systems Engineer
R&D Media
--
/ Alexander Bokovoy
--
Tiemen Ruiten
Systems Engineer
R&D Media
--
/ Alexander Bokovoy
--
Tiemen Ruiten
Systems Engineer
R&D Media
Tiemen Ruiten
2017-04-28 17:27:20 UTC
Permalink
Hello Alexander, list,

I did get further by specifying --external=true in the ipa trust-add
command, it works now for *both* the Windows and the Samba domain:

ipa trust-add office.rdmedia.com --type=ad --admin Administrator --password
--two-way=false --external=true

IPA reports the trust is established successfully and I can also see it in
Active Directory Domains and Trusts. However, adding users/groups to an
external group fails:

[***@ipa-ams-01 tiemen]# ipa group-add-member office_admins_external
--external "OFFICE\domain admins"
[member user]:
[member group]:
Group name: office_admins_external
Description: office.rdmedia.com admins external map
Failed members:
member user:
member group: *OFFICE\domain admins: trusted domain object not found*
-------------------------
Number of members added 0
-------------------------

Of course that group exists on the Samba DC:

[***@fluorine samba]# wbinfo -g
OFFICE\cert publishers
OFFICE\ras and ias servers
OFFICE\allowed rodc password replication group
OFFICE\denied rodc password replication group
OFFICE\dnsadmins
OFFICE\enterprise read-only domain controllers
OFFICE\domain admins
OFFICE\domain users
OFFICE\domain guests
OFFICE\domain computers
OFFICE\domain controllers
OFFICE\schema admins
OFFICE\enterprise admins
OFFICE\group policy creator owners
OFFICE\read-only domain controllers
OFFICE\dnsupdateproxy

BTW, adding a two-way trust fails because the AD DC reports it can't
contact any IPA server. Firewalls on all servers have been disabled.

I would appreciate any insights!
Post by Tiemen Ruiten
Hello,
I set up a fresh Windows Server 2012R2 instance, configured a new forest
named 'clients.rdmedia.com' and I'm getting the same error in the httpd
error_log after running 'ipa trust-add clients.rdmedia.com --type=ad
non-public: RuntimeError: (-1073741811, 'Unexpected information received')
[Fri Apr 28 12:05:00.420225 2017] [:error] [pid 26417] Traceback (most
[Fri Apr 28 12:05:00.420230 2017] [:error] [pid 26417] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 366, in
wsgi_execute
[Fri Apr 28 12:05:00.420235 2017] [:error] [pid 26417] result =
command(*args, **options)
[Fri Apr 28 12:05:00.420239 2017] [:error] [pid 26417] File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 449, in __call__
[Fri Apr 28 12:05:00.420243 2017] [:error] [pid 26417] return
self.__do_call(*args, **options)
[Fri Apr 28 12:05:00.420247 2017] [:error] [pid 26417] File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 477, in
__do_call
[Fri Apr 28 12:05:00.420251 2017] [:error] [pid 26417] ret =
self.run(*args, **options)
[Fri Apr 28 12:05:00.420255 2017] [:error] [pid 26417] File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 799, in run
[Fri Apr 28 12:05:00.420258 2017] [:error] [pid 26417] return
self.execute(*args, **options)
[Fri Apr 28 12:05:00.420262 2017] [:error] [pid 26417] File
"/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 739,
in execute
[Fri Apr 28 12:05:00.420267 2017] [:error] [pid 26417] result =
self.execute_ad(full_join, *keys, **options)
[Fri Apr 28 12:05:00.420297 2017] [:error] [pid 26417] File
"/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 989,
in execute_ad
[Fri Apr 28 12:05:00.420304 2017] [:error] [pid 26417] trust_type
[Fri Apr 28 12:05:00.420308 2017] [:error] [pid 26417] File
"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1683, in
join_ad_full_credentials
[Fri Apr 28 12:05:00.420312 2017] [:error] [pid 26417] trust_type,
trust_external)
[Fri Apr 28 12:05:00.420316 2017] [:error] [pid 26417] File
"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1363, in
establish_trust
[Fri Apr 28 12:05:00.420320 2017] [:error] [pid 26417]
self.update_ftinfo(another_domain)
[Fri Apr 28 12:05:00.420324 2017] [:error] [pid 26417] File
"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1252, in
update_ftinfo
[Fri Apr 28 12:05:00.420328 2017] [:error] [pid 26417] ftinfo, 0)
(-1073741811, 'Unexpected information received')
com', trust_type=u'ad', realm_admin=u'Administrator',
realm_passwd=u'********', version=u'2.213'): RuntimeError
Am I doing something wrong? Logs are ofcourse available privately on
request.
Yes, office.rdmedia.com is the Samba AD domain.
Type[Forest] Transitive[Yes] Direction[INCOMING] Name[i.rdmedia.com]
LocalDomain Netbios[OFFICE] DNS[office.rdmedia.com]
SID[S-1-5-21-482924559-3201240232-3198541477]
NetbiosName: IPA
DnsName: i.rdmedia.com
SID: S-1-5-21-3716778977-2487905546-4034507762
Type: 0x2 (UPLEVEL)
Direction: 0x1 (INBOUND)
Attributes: 0x8 (FOREST_TRANSITIVE)
PosixOffset: 0x00000000 (0)
kerb_EncTypes: 0x1c
(RC4_HMAC_MD5,AES128_CTS_HMAC_SHA1_96,AES256_CTS_HMAC_SHA1_96)
Ok, thanks. I'll look into this part of Samba code later, after Easter.
Hello Alexander,
That's strange, when I try to setup a trust with a domain that isn't a
ipa-adtrust-install --netbios-name=IPA
ipa trust-add --type=ad office.rdmedia.com --admin Administrator
--password
office.rdmedia.com is Samba AD?
Then please show output of
samba-tool domain trust list
and for each domain name in the output above show
samba-tool domain trust show <name>
[0000] 00 00 00 00 ....
lsa_lsaRSetForestTrustInformation: struct
lsa_lsaRSetForestTrustInformation
in: struct lsa_lsaRSetForestTrustInformation
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
43cfa5e6-c10a-49a5-9b75-f7284ee44aac
trusted_domain_name : *
trusted_domain_name: struct lsa_StringLarge
length : 0x001a (26)
size : 0x001c (28)
string : *
string : 'i.rdmedia.com'
highest_record_type : LSA_FOREST_TRUST_DOMAIN_INFO (2)
forest_trust_info : *
forest_trust_info: struct lsa_ForestTrustInformation
count : 0x00000004 (4)
entries : *
entries: ARRAY(4)
entries : *
entries: struct lsa_ForestTrustRecord
flags : 0x00000000
(0)
0: LSA_TLN_DISABLED_NEW
0: LSA_TLN_DISABLED_ADMIN
0: LSA_TLN_DISABLED_CONFLICT
0: LSA_SID_DISABLED_ADMIN
0: LSA_SID_DISABLED_CONFLICT
0: LSA_NB_DISABLED_ADMIN
0: LSA_NB_DISABLED_CONFLICT
LSA_FOREST_TRUST_TOP_LEVEL_NAME (0)
time : Mon Apr 10
08:43:18 2017 CEST
forest_trust_data : union
lsa_ForestTrustData(case 0)
top_level_name: struct
lsa_StringLarge
length : 0x002c
(44)
size : 0x002e
(46)
string : *
string : '
test.ams.i.rdmedia.com'
entries : *
entries: struct lsa_ForestTrustRecord
flags : 0x00000000
(0)
0: LSA_TLN_DISABLED_NEW
0: LSA_TLN_DISABLED_ADMIN
0: LSA_TLN_DISABLED_CONFLICT
0: LSA_SID_DISABLED_ADMIN
0: LSA_SID_DISABLED_CONFLICT
0: LSA_NB_DISABLED_ADMIN
0: LSA_NB_DISABLED_CONFLICT
LSA_FOREST_TRUST_TOP_LEVEL_NAME (0)
time : Mon Apr 10
08:43:18 2017 CEST
forest_trust_data : union
lsa_ForestTrustData(case 0)
top_level_name: struct
lsa_StringLarge
length : 0x002c
(44)
size : 0x002e
(46)
string : *
string : '
prod.ams.i.rdmedia.com'
entries : *
entries: struct lsa_ForestTrustRecord
flags : 0x00000000
(0)
0: LSA_TLN_DISABLED_NEW
0: LSA_TLN_DISABLED_ADMIN
0: LSA_TLN_DISABLED_CONFLICT
0: LSA_SID_DISABLED_ADMIN
0: LSA_SID_DISABLED_CONFLICT
0: LSA_NB_DISABLED_ADMIN
0: LSA_NB_DISABLED_CONFLICT
LSA_FOREST_TRUST_TOP_LEVEL_NAME (0)
time : Mon Apr 10
08:43:18 2017 CEST
forest_trust_data : union
lsa_ForestTrustData(case 0)
top_level_name: struct
lsa_StringLarge
length : 0x001a
(26)
size : 0x001c
(28)
string : *
string : '
i.rdmedia.com'
entries : *
entries: struct lsa_ForestTrustRecord
flags : 0x00000000
(0)
0: LSA_TLN_DISABLED_NEW
0: LSA_TLN_DISABLED_ADMIN
0: LSA_TLN_DISABLED_CONFLICT
0: LSA_SID_DISABLED_ADMIN
0: LSA_SID_DISABLED_CONFLICT
0: LSA_NB_DISABLED_ADMIN
0: LSA_NB_DISABLED_CONFLICT
LSA_FOREST_TRUST_TOP_LEVEL_NAME (0)
time : Mon Apr 10
08:43:18 2017 CEST
forest_trust_data : union
lsa_ForestTrustData(case 0)
top_level_name: struct
lsa_StringLarge
length : 0x002c
(44)
size : 0x002e
(46)
string : *
string : '
prod.nyc.i.rdmedia.com'
check_only : 0x00 (0)
[0000] 00 00 00 00 E6 A5 CF 43 0A C1 A5 49 9B 75 F7 28 .......C
...I.u.(
[0010] 4E E4 4A AC 1A 00 1C 00 00 00 02 00 0E 00 00 00 N.J.....
........
[0020] 00 00 00 00 0D 00 00 00 69 00 2E 00 72 00 64 00 ........
i...r.d.
[0030] 6D 00 65 00 64 00 69 00 61 00 2E 00 63 00 6F 00 m.e.d.i.
a...c.o.
[0040] 6D 00 02 00 04 00 00 00 04 00 02 00 04 00 00 00 m.......
........
[0050] 08 00 02 00 0C 00 02 00 10 00 02 00 14 00 02 00 ........
........
[0060] 00 00 00 00 00 00 00 00 00 C7 B7 BC C5 B1 D2 01 ........
........
[0070] 00 00 00 00 2C 00 2E 00 18 00 02 00 17 00 00 00 ....,...
........
[0080] 00 00 00 00 16 00 00 00 74 00 65 00 73 00 74 00 ........
t.e.s.t.
[0090] 2E 00 61 00 6D 00 73 00 2E 00 69 00 2E 00 72 00 ..a.m.s.
..i...r.
[00A0] 64 00 6D 00 65 00 64 00 69 00 61 00 2E 00 63 00 d.m.e.d.
i.a...c.
[00B0] 6F 00 6D 00 00 00 00 00 00 00 00 00 00 00 00 00 o.m.....
........
[00C0] 00 C7 B7 BC C5 B1 D2 01 00 00 00 00 2C 00 2E 00 ........
....,...
[00D0] 1C 00 02 00 17 00 00 00 00 00 00 00 16 00 00 00 ........
........
[00E0] 70 00 72 00 6F 00 64 00 2E 00 61 00 6D 00 73 00 p.r.o.d.
..a.m.s.
[00F0] 2E 00 69 00 2E 00 72 00 64 00 6D 00 65 00 64 00 ..i...r.
d.m.e.d.
[0100] 69 00 61 00 2E 00 63 00 6F 00 6D 00 00 00 00 00 i.a...c.
o.m.....
[0110] 00 00 00 00 00 00 00 00 00 C7 B7 BC C5 B1 D2 01 ........
........
[0120] 00 00 00 00 1A 00 1C 00 20 00 02 00 0E 00 00 00 ........
.......
[0130] 00 00 00 00 0D 00 00 00 69 00 2E 00 72 00 64 00 ........
i...r.d.
[0140] 6D 00 65 00 64 00 69 00 61 00 2E 00 63 00 6F 00 m.e.d.i.
a...c.o.
[0150] 6D 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 m.......
........
[0160] 00 C7 B7 BC C5 B1 D2 01 00 00 00 00 2C 00 2E 00 ........
....,...
[0170] 24 00 02 00 17 00 00 00 00 00 00 00 16 00 00 00 $.......
........
[0180] 70 00 72 00 6F 00 64 00 2E 00 6E 00 79 00 63 00 p.r.o.d.
..n.y.c.
[0190] 2E 00 69 00 2E 00 72 00 64 00 6D 00 65 00 64 00 ..i...r.
d.m.e.d.
[01A0] 69 00 61 00 2E 00 63 00 6F 00 6D 00 00 i.a...c.
o.m..
signed SMB2 message
lsa_lsaRSetForestTrustInformation: struct
lsa_lsaRSetForestTrustInformation
out: struct lsa_lsaRSetForestTrustInformation
collision_info : *
collision_info : NULL
result : NT_STATUS_INVALID_PARAMETER
[0000] 00 00 00 00 0D 00 00 C0 ........
non-public: RuntimeError: (-1073741811, 'Unexpected information received')
[Fri Apr 14 13:05:15.626384 2017] [:error] [pid 22596] Traceback (most
[Fri Apr 14 13:05:15.626392 2017] [:error] [pid 22596] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 366, in
wsgi_execute
[Fri Apr 14 13:05:15.626399 2017] [:error] [pid 22596] result =
command(*args, **options)
[Fri Apr 14 13:05:15.626405 2017] [:error] [pid 22596] File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 449, in __call__
[Fri Apr 14 13:05:15.626416 2017] [:error] [pid 22596] return
self.__do_call(*args, **options)
[Fri Apr 14 13:05:15.626422 2017] [:error] [pid 22596] File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 477, in
__do_call
[Fri Apr 14 13:05:15.626428 2017] [:error] [pid 22596] ret =
self.run(*args, **options)
[Fri Apr 14 13:05:15.626434 2017] [:error] [pid 22596] File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 799, in run
[Fri Apr 14 13:05:15.626439 2017] [:error] [pid 22596] return
self.execute(*args, **options)
[Fri Apr 14 13:05:15.626445 2017] [:error] [pid 22596] File
"/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line
739,
in
execute
[Fri Apr 14 13:05:15.626451 2017] [:error] [pid 22596] result =
self.execute_ad(full_join, *keys, **options)
[Fri Apr 14 13:05:15.626457 2017] [:error] [pid 22596] File
"/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line
989,
in
execute_ad
[Fri Apr 14 13:05:15.626463 2017] [:error] [pid 22596] trust_type
[Fri Apr 14 13:05:15.626468 2017] [:error] [pid 22596] File
"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1683, in
join_ad_full_credentials
[Fri Apr 14 13:05:15.626474 2017] [:error] [pid 22596] trust_type,
trust_external)
[Fri Apr 14 13:05:15.626479 2017] [:error] [pid 22596] File
"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1363, in
establish_trust
[Fri Apr 14 13:05:15.626485 2017] [:error] [pid 22596]
self.update_ftinfo(another_domain)
[Fri Apr 14 13:05:15.626490 2017] [:error] [pid 22596] File
"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1252, in
update_ftinfo
[Fri Apr 14 13:05:15.626495 2017] [:error] [pid 22596] ftinfo, 0)
(-1073741811, 'Unexpected information received')
trust_add/1(u'office.rdmedia.c
om',
trust_type=u'ad', realm_admin=u'Administrator',
realm_passwd=u'********',
version=u'2.213'): RuntimeError
Post by Alexander Bokovoy
Post by Alexander Bokovoy
Post by Tiemen Ruiten
non-public: RuntimeError: (-1073741811, 'Unexpected information received')
Please add 'log level = 10' to /usr/share/ipa/smb.conf.empty and re-try
'ipa trust-add', then send me resulting error_log privately.
To get back to the public mailing list, Tiemen sent me logs and I
confirm that this is the same as https://bugzilla.redhat.com/sh
ow_bug.cgi?id=1421869
We currently have no solution to this problem (AD is subdomain of IPA
domain).
--
/ Alexander Bokovoy
--
Tiemen Ruiten
Systems Engineer
R&D Media
--
/ Alexander Bokovoy
--
Tiemen Ruiten
Systems Engineer
R&D Media
--
/ Alexander Bokovoy
--
Tiemen Ruiten
Systems Engineer
R&D Media
--
Tiemen Ruiten
Systems Engineer
R&D Media
Jakub Hrozek
2017-04-28 18:34:06 UTC
Permalink
Post by Tiemen Ruiten
Hello Alexander, list,
I did get further by specifying --external=true in the ipa trust-add
ipa trust-add office.rdmedia.com --type=ad --admin Administrator --password
--two-way=false --external=true
IPA reports the trust is established successfully and I can also see it in
Active Directory Domains and Trusts. However, adding users/groups to an
--external "OFFICE\domain admins"
Group name: office_admins_external
Description: office.rdmedia.com admins external map
member group: *OFFICE\domain admins: trusted domain object not found*
-------------------------
Number of members added 0
-------------------------
Domain Admins is a domain-local group typically. I would advise against
using those for cross-forest trust memberships in general.

Can you also check if you can resolve objects from the trusted AD/Samba
domain? Try:
getent passwd ***@office.rdmedia.com
for example.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Loading...