if trying to establish forest trust fails because the chosen DC is not a forest root, provide a warning and suggestion in ipa trust-add output about that
Trying to setup a trust to Azure AD and the chosen DC is not a forest root
Fails
Warns you that it's not a forest root
python2-ipalib-4.6.6-11.el7.noarch python-iniparse-0.4-9.el7.noarch python-ipaddr-2.1.11-2.el7.noarch ipa-server-trust-ad-4.6.6-11.el7.x86_64 ipa-server-4.6.6-11.el7.x86_64 python-libipa_hbac-1.16.4-37.el7_8.1.x86_64 python2-ipaserver-4.6.6-11.el7.noarch ipa-common-4.6.6-11.el7.noarch python-ipaddress-1.0.16-2.el7.noarch sssd-ipa-1.16.4-37.el7_8.1.x86_64 ipa-client-common-4.6.6-11.el7.noarch ipa-client-4.6.6-11.el7.x86_64 libipa_hbac-1.16.4-37.el7_8.1.x86_64 ipa-server-common-4.6.6-11.el7.noarch python2-ipaclient-4.6.6-11.el7.noarch ipa-server-dns-4.6.6-11.el7.noarch
logs that ab asked for
added interface eth0 ip=10.0.109.124 bcast=10.0.111.255 netmask=255.255.252.0 added interface eth0 ip=2620:52:0:6c:f816:3eff:fe10:273e bcast= netmask=ffff:ffff:ffff:ffff:: not adding non-broadcast interface tun0 added interface eth0 ip=10.0.109.124 bcast=10.0.111.255 netmask=255.255.252.0 added interface eth0 ip=2620:52:0:6c:f816:3eff:fe10:273e bcast= netmask=ffff:ffff:ffff:ffff:: not adding non-broadcast interface tun0 added interface eth0 ip=10.0.109.124 bcast=10.0.111.255 netmask=255.255.252.0 added interface eth0 ip=2620:52:0:6c:f816:3eff:fe10:273e bcast= netmask=ffff:ffff:ffff:ffff:: not adding non-broadcast interface tun0 added interface eth0 ip=10.0.109.124 bcast=10.0.111.255 netmask=255.255.252.0 finddcs: searching for a DC by DNS domain sssdqe.onmicrosoft.com finddcs: looking for SRV records for _ldap._tcp.sssdqe.onmicrosoft.com resolve_lmhosts: Attempting lmhosts lookup for name _ldap._tcp.sssdqe.onmicrosoft.com<0x0> getlmhostsent: lmhost entry: 127.0.0.1 localhost s4_tevent: Added timed event "composite_trigger": 0x7fdb7c5d6d40 s4_tevent: Running timer event 0x7fdb7c5d6d40 "composite_trigger" s4_tevent: Destroying timer event 0x7fdb7c5d6d40 "composite_trigger" dns_lookup_send_next: Sending DNS request #0 to 127.0.0.1 dns_cli_request_send: Asking 127.0.0.1 for _ldap._tcp.sssdqe.onmicrosoft.com./1/33 via UDP [0000] 5E F3 01 00 00 01 00 00 00 00 00 00 05 5F 6C 64 ^....... ....._ld [0010] 61 70 04 5F 74 63 70 06 73 73 73 64 71 65 0B 6F ap._tcp. sssdqe.o [0020] 6E 6D 69 63 72 6F 73 6F 66 74 03 63 6F 6D 00 00 nmicroso ft.com.. [0030] 21 00 01 !.. samba_tevent: Schedule immediate event "tevent_req_trigger": 0x7fdb7c611530 samba_tevent: Added timed event "tevent_req_timedout": 0x7fdb7c611770 dns_lookup_send_next: cancelling wait_subreq samba_tevent: Run immediate event "tevent_req_trigger": 0x7fdb7c611530 [0000] 5E F3 81 80 00 01 00 02 00 00 00 02 05 5F 6C 64 ^....... ....._ld [0010] 61 70 04 5F 74 63 70 06 73 73 73 64 71 65 0B 6F ap._tcp. sssdqe.o [0020] 6E 6D 69 63 72 6F 73 6F 66 74 03 63 6F 6D 00 00 nmicroso ft.com.. [0030] 21 00 01 C0 0C 00 21 00 01 00 00 02 0C 00 2E 00 !.....!. ........ [0040] 00 00 64 01 85 0F 64 61 74 65 62 61 61 73 6E 70 ..d...da tebaasnp [0050] 39 68 6C 35 72 06 73 73 73 64 71 65 0B 6F 6E 6D 9hl5r.ss sdqe.onm [0060] 69 63 72 6F 73 6F 66 74 03 63 6F 6D 00 C0 0C 00 icrosoft .com.... [0070] 21 00 01 00 00 02 0C 00 2E 00 00 00 64 01 85 0F !....... ....d... [0080] 63 73 64 39 77 6E 38 6D 64 78 33 67 6E 65 35 06 csd9wn8m dx3gne5. [0090] 73 73 73 64 71 65 0B 6F 6E 6D 69 63 72 6F 73 6F sssdqe.o nmicroso [00A0] 66 74 03 63 6F 6D 00 C0 7F 00 01 00 01 00 00 0D ft.com.. ........ [00B0] A4 00 04 C0 A8 01 06 C0 45 00 01 00 01 00 00 0D ........ E....... [00C0] A4 00 04 C0 A8 01 05 ....... samba_tevent: Destroying timer event 0x7fdb7c611770 "tevent_req_timedout" dns_cli_request_udp_done: Got op=8180 1/2/0/0 recs Addrs = 192.168.1.5@389/datebaasnp9hl5r,192.168.1.6@389/csd9wn8mdx3gne5 finddcs: DNS SRV response 0 at '192.168.1.5' finddcs: DNS SRV response 1 at '192.168.1.6' finddcs: performing CLDAP query on 192.168.1.5 s4_tevent: Added timed event "tevent_req_timedout": 0x7fdb7c5df1b0 s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fdb7c6102f0 s4_tevent: Run immediate event "tevent_req_trigger": 0x7fdb7c6102f0 s4_tevent: Added timed event "tevent_req_timedout": 0x7fdb7c5e39b0 s4_tevent: Destroying timer event 0x7fdb7c5df1b0 "tevent_req_timedout" s4_tevent: Destroying timer event 0x7fdb7c5e39b0 "tevent_req_timedout" &response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX command : LOGON_SAM_LOGON_RESPONSE_EX (23) sbz : 0x0000 (0) server_type : 0x0000f1fd (61949) 1: NBT_SERVER_PDC 1: NBT_SERVER_GC 1: NBT_SERVER_LDAP 1: NBT_SERVER_DS 1: NBT_SERVER_KDC 1: NBT_SERVER_TIMESERV 1: NBT_SERVER_CLOSEST 1: NBT_SERVER_WRITABLE 0: NBT_SERVER_GOOD_TIMESERV 0: NBT_SERVER_NDNC 0: NBT_SERVER_SELECT_SECRET_DOMAIN_6 1: NBT_SERVER_FULL_SECRET_DOMAIN_6 1: NBT_SERVER_ADS_WEB_SERVICE 1: NBT_SERVER_DS_8 0: NBT_SERVER_HAS_DNS_NAME 0: NBT_SERVER_IS_DEFAULT_NC 0: NBT_SERVER_FOREST_ROOT domain_uuid : 8a16596a-16a8-4abb-9168-ff259d200b0b forest : 'sssdqe.onmicrosoft.com' dns_domain : 'sssdqe.onmicrosoft.com' pdc_dns_name : 'DATEBAASNP9HL5R.sssdqe.onmicrosoft.com' domain_name : 'SSSDQE' pdc_name : 'DATEBAASNP9HL5R' user_name : '' server_site : 'Default-First-Site-Name' client_site : 'Default-First-Site-Name' sockaddr_size : 0x00 (0) sockaddr: struct nbt_sockaddr sockaddr_family : 0x00000000 (0) pdc_ip : (null) remaining : DATA_BLOB length=0 next_closest_site : NULL nt_version : 0x00000005 (5) 1: NETLOGON_NT_VERSION_1 0: NETLOGON_NT_VERSION_5 1: NETLOGON_NT_VERSION_5EX 0: NETLOGON_NT_VERSION_5EX_WITH_IP 0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE 0: NETLOGON_NT_VERSION_AVOID_NT4EMUL 0: NETLOGON_NT_VERSION_PDC 0: NETLOGON_NT_VERSION_IP 0: NETLOGON_NT_VERSION_LOCAL 0: NETLOGON_NT_VERSION_GC lmnt_token : 0xffff (65535) lm20_token : 0xffff (65535) finddcs: Found matching DC 192.168.1.5 with server_type=0x0000f1fd
lsa_CreateTrustedDomainEx2: struct lsa_CreateTrustedDomainEx2 out: struct lsa_CreateTrustedDomainEx2 trustdom_handle : * trustdom_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : NT_STATUS_ACCESS_DENIED
Login to comment on this ticket.