Tiemen Ruiten
2017-04-13 14:49:59 UTC
Hello!
As I understand from this
<https://www.redhat.com/archives/freeipa-users/2016-October/msg00147.html>
thread,
it should be possible to setup a trust between FreeIPA and Samba4. My AD
domain is clients.i.rdmedia.com, it's a subdomain of my FreeIPA domain,
i.rdmedia.com. Therefore I added a global forwarder on the Samba AD DC to
one of the FreeIPA replica's and lookup of SRV records in both domains
appears to work.
However when I try to add the trust I get "ipa: ERROR an internal error has
occurred". I ran the trust-add command with full debug logging as described
on https://www.freeipa.org/page/Active_Directory_trust_setup#Debugging_trust,
so I can provide these logs privately upon request.
I suspect some DNS-issue, as right after I try to setup the trust, dynamic
updates stop working on the AD Domain Controller with this error:
tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor
code may provide more information, Minor = Server DNS/
***@I.RDMEDIA.COM not found in Kerberos database.
Failed nsupdate: 1
update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._
sites.ForestDnsZones.clients.i.rdmedia.com fluorine.clients.i.rdmedia.com
389
Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._
sites.ForestDnsZones.clients.i.rdmedia.com fluorine.clients.i.rdmedia.com
389 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._
sites.ForestDnsZones.clients.i.rdmedia.com. 900 IN SRV 0 100 389
fluorine.clients.i.rdmedia.com.
Many thanks in advance for your assistance.
As I understand from this
<https://www.redhat.com/archives/freeipa-users/2016-October/msg00147.html>
thread,
it should be possible to setup a trust between FreeIPA and Samba4. My AD
domain is clients.i.rdmedia.com, it's a subdomain of my FreeIPA domain,
i.rdmedia.com. Therefore I added a global forwarder on the Samba AD DC to
one of the FreeIPA replica's and lookup of SRV records in both domains
appears to work.
However when I try to add the trust I get "ipa: ERROR an internal error has
occurred". I ran the trust-add command with full debug logging as described
on https://www.freeipa.org/page/Active_Directory_trust_setup#Debugging_trust,
so I can provide these logs privately upon request.
I suspect some DNS-issue, as right after I try to setup the trust, dynamic
updates stop working on the AD Domain Controller with this error:
tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor
code may provide more information, Minor = Server DNS/
***@I.RDMEDIA.COM not found in Kerberos database.
Failed nsupdate: 1
update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._
sites.ForestDnsZones.clients.i.rdmedia.com fluorine.clients.i.rdmedia.com
389
Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._
sites.ForestDnsZones.clients.i.rdmedia.com fluorine.clients.i.rdmedia.com
389 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._
sites.ForestDnsZones.clients.i.rdmedia.com. 900 IN SRV 0 100 389
fluorine.clients.i.rdmedia.com.
Many thanks in advance for your assistance.
--
Tiemen Ruiten
Systems Engineer
R&D Media
Tiemen Ruiten
Systems Engineer
R&D Media