Hi, When setting up AD trust ipa fails to fetch domains. Using trust-find the domain is enabled and looking at other similar issues DNSSEC is not the problem.
ipa: ERROR: error on server 'ipa01.ipa.example.local': Fetching domains from trusted forest failed. See details in the error_log
Default behaviour.
ipa-server-4.8.7-14.module_el8.3.0+2075+8502777d.alma.x86_64 ipa-client-4.8.7-14.module_el8.3.0+2075+8502777d.alma.x86_64 ipa-server-4.8.7-14.module_el8.3.0+2075+8502777d.alma.x86_64 ipa-client-4.8.7-14.module_el8.3.0+2075+8502777d.alma.x86_64 389-ds-base-1.4.3.8-6.module_el8.3.0+2003+c08169ba.x86_64 pki-ca-10.9.4-3.module_el8.3.0+2066+73f6df5b.noarch krb5-server-1.18.2-5.el8.x86_64
ipa: ERROR: Helper fetch_domains was called for forest example.local, return code is 1 ipa: ERROR: Standard output from the helper: '---' ipa: ERROR: Error output from the helper: Traceback (most recent call last) File "/usr/libexec/ipa/oddjob/com.redhat.idm.trust-fetch-domains", line 274, in <module> config=cfg, gssapi.raw.misc.GSSError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529638918)
To note I have tried specifying different servers using --server.
@dazah Could you please provide more logs?
As a help, which logs we need, there is a article about it: https://www.freeipa.org/page/Active_Directory_trust_setup#Debugging_trust
Thanks
FreeIPA Product Owner
Thank you taking your time and submitting this request for FreeIPA. I am afraid this bug is stale now. So I am about to close it.
Metadata Update from @pcech: - Issue close_status updated to: insufficientinfo - Issue status updated to: Closed (was: Open)
We ended up dropping AD integration all together and going stand-alone. But if I can find the complete logs again I will re-open.
Login to comment on this ticket.