Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1421869
Created attachment 1250036 httpd error_log I am having a problem with my lab setup (replicates a customer env) in that I seem to have a problem with the trust established to the AD servers. This was previously set up as a two-way trust on ipa 4.3 and was working - I cannot pinpoint exactly when it broke, but now running ipa 4.4 (AD is 2012r2) Problem manifests itself in that users in the AD can no longer authenticate to IdM resources. [root@auth1 ~]# ipa trust-show ad.home.gatwards.org Realm name: ad.home.gatwards.org Domain NetBIOS name: AD Domain Security Identifier: S-1-5-21-2491084655-2534020579-1020697545 Trust direction: Two-way trust Trust type: Active Directory domain On the AD side, nltest /domain_trusts /v shows a Direct Inbound trust for my IdM realm However I am unable to list the trusted domains: [root@auth1 ~]# ipa trust-fetch-domains ad.home.gatwards.org ipa: ERROR: AD domain controller complains about communication sequence. It may mean unsynchronized time on both sides, for example And trying to re-add (refresh) the trust throws internal error: [root@auth1 ~]# ipa trust-add --type ad --two-way true ad.home.gatwards.org --admin Administrator Active Directory domain administrator's password: ipa: ERROR: an internal error has occurred As discussed with Alexander Bokovoy, I removed the trusts from the AD side (mmc snap-in) and tried again with the same result, catching debug logs of the issue.
Metadata Update from @pvoborni: - Issue assigned to someone - Issue set to the milestone: 0.0 NEEDS_TRIAGE
Metadata Update from @pvoborni: - Custom field tester adjusted to wanted - Issue close_status updated to: None - Issue set to the milestone: FreeIPA 4.5 (was: 0.0 NEEDS_TRIAGE)
Metadata Update from @mbasti: - Issue set to the milestone: FreeIPA 4.5.1 (was: FreeIPA 4.5)
Metadata Update from @mbasti: - Issue set to the milestone: FreeIPA 4.5.2 (was: FreeIPA 4.5.1)
FreeIPA 4.5.1 has been released, moving to FreeIPA 4.5.2 milestone
Metadata Update from @tkrizek: - Issue set to the milestone: FreeIPA 4.5.3 (was: FreeIPA 4.5.2)
Metadata Update from @tkrizek: - Issue set to the milestone: FreeIPA 4.5.4 (was: FreeIPA 4.5.3)
We finally found out what is the reason. We shouldn't specify subdomains of our own forest as TLNs as this is considered as duplication and causes NT_STATUS_INVALID_PARAMETER.
Pull request https://github.com/freeipa/freeipa/pull/1179 is created with a fix.
Metadata Update from @abbra: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/1179
Metadata Update from @tkrizek: - Issue set to the milestone: FreeIPA 4.5.5 (was: FreeIPA 4.5.4)
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1421869, https://bugzilla.redhat.com/show_bug.cgi?id=1506709 (was: https://bugzilla.redhat.com/show_bug.cgi?id=1421869)
Issue linked to Bugzilla: Bug 1506709
master:
Metadata Update from @abbra: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
ipa-4-5:
ipa-4-6:
Login to comment on this ticket.