#6666 Unable to re-add broken AD trust - Unexpected Information received
Closed: fixed 6 years ago Opened 7 years ago by pvoborni.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1421869

Created attachment 1250036
httpd error_log

I am having a problem with my lab setup (replicates a customer env) in that I
seem to have a problem with the trust established to the AD servers.  This was
previously set up as a two-way trust on ipa 4.3 and was working - I cannot
pinpoint exactly when it broke, but now running ipa 4.4 (AD is 2012r2)

Problem manifests itself in that users in the AD can no longer authenticate to
IdM resources.

[root@auth1 ~]# ipa trust-show ad.home.gatwards.org
  Realm name: ad.home.gatwards.org
  Domain NetBIOS name: AD
  Domain Security Identifier: S-1-5-21-2491084655-2534020579-1020697545
  Trust direction: Two-way trust
  Trust type: Active Directory domain

On the AD side,  nltest /domain_trusts /v   shows a Direct Inbound trust for my
IdM realm

However I am unable to list the trusted domains:
[root@auth1 ~]# ipa trust-fetch-domains ad.home.gatwards.org
ipa: ERROR: AD domain controller complains about communication sequence. It may
mean unsynchronized time on both sides, for example

And trying to re-add (refresh) the trust throws internal error:
[root@auth1 ~]# ipa trust-add --type ad --two-way true ad.home.gatwards.org
--admin Administrator
Active Directory domain administrator's password:
ipa: ERROR: an internal error has occurred

As discussed with Alexander Bokovoy, I removed the trusts from the AD side (mmc
snap-in) and tried again with the same result, catching debug logs of the
issue.

Metadata Update from @pvoborni:
- Issue assigned to someone
- Issue set to the milestone: 0.0 NEEDS_TRIAGE

7 years ago

Metadata Update from @pvoborni:
- Custom field tester adjusted to wanted
- Issue close_status updated to: None
- Issue set to the milestone: FreeIPA 4.5 (was: 0.0 NEEDS_TRIAGE)

7 years ago

Metadata Update from @mbasti:
- Issue set to the milestone: FreeIPA 4.5.1 (was: FreeIPA 4.5)

7 years ago

Metadata Update from @mbasti:
- Issue set to the milestone: FreeIPA 4.5.2 (was: FreeIPA 4.5.1)

6 years ago

FreeIPA 4.5.1 has been released, moving to FreeIPA 4.5.2 milestone

Metadata Update from @tkrizek:
- Issue set to the milestone: FreeIPA 4.5.3 (was: FreeIPA 4.5.2)

6 years ago

Metadata Update from @tkrizek:
- Issue set to the milestone: FreeIPA 4.5.4 (was: FreeIPA 4.5.3)

6 years ago

We finally found out what is the reason. We shouldn't specify subdomains of our own forest as TLNs as this is considered as duplication and causes NT_STATUS_INVALID_PARAMETER.

Metadata Update from @abbra:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/1179

6 years ago

Metadata Update from @tkrizek:
- Issue set to the milestone: FreeIPA 4.5.5 (was: FreeIPA 4.5.4)

6 years ago

master:

  • 443ecbc adtrust: filter out subdomains when defining our topology to AD

Metadata Update from @abbra:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

6 years ago

ipa-4-5:

  • 704cf5d adtrust: filter out subdomains when defining our topology to AD

ipa-4-6:

  • 1490e9c adtrust: filter out subdomains when defining our topology to AD

Login to comment on this ticket.

Metadata