On Mon, Jul 24, 2017 at 01:53:20PM -0400, Jason Beck wrote:
> On Mon, Jul 24, 2017 at 9:25 AM, Jakub Hrozek <jhrozek@redhat.com> wrote:
>
> > On Mon, Jul 24, 2017 at 09:05:59AM -0400, Jason Beck wrote:
> > > On Jul 24, 2017 4:14 AM, "Jakub Hrozek via FreeIPA-users" <
> > > freeipa-users@lists.fedorahosted.org> wrote:
> > >
> > > > On Fri, Jul 21, 2017 at 03:43:58PM -0400, Jason Beck via FreeIPA-users
> > > > wrote:
> > > > > I have been trying to reliably get an AD trust setup for a few weeks
> > and
> > > > no
> > > > > matter what I try, when I goto add AD users to an external group in
> > > > > FreeIPA, I get:
> > > > >
> > > > > "trusted domain object not found"
> > > > >
> > > > > Googling around tends to always yield the same suggestions:
> > > > >
> > > > > 1) Check time sync
> > > > > 2) Check DNS
> > > > > 3) Check firewall
> > > > >
> > > > > I have done all of this ad nauseam in several different environments
> > with
> > > > > several different versions of FreeIPA and Windows servers.  I have
> > > > gotten a
> > > > > setup to work maybe 2% of the time out of hundreds of attempts.
> > > > >
> > > > > I am currently using FreeIPA 4.5.2 on Fedora 25 (out of the COPR
> > repo).
> > > > I
> > > > > am trying to establish trust with a mixed Windows 2012 & 2008
> > forest. I
> > > > > have tried both one and two way trusts.  Everything seems to work
> > fine up
> > > > > until I try to add AD users to FreeIPA.
> > > > >
> > > > > I have verified all of the requisite DNS records exist and return the
> > > > > proper information on both sides, there are no firewalls between any
> > of
> > > > the
> > > > > hosts, and the AD servers and FreeIPA servers are synchronized by the
> > > > same
> > > > > NTP servers.
> > > > >
> > > > > What could I possibly be missing?
> > > >
> > > > Can you resolve the object you're trying to add with sssd?
> > > >
> > > > e.g. id foo@windows.domain
> > > > _______________________________________________
> > > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > > > To unsubscribe send an email to freeipa-users-leave@lists.
> > fedorahosted.org
> > >
> > >
> > > No.  I can login via Kerberos, kinit user@ad.domain.  But neither id
> > > user@ad.domain nor getent passwd user@ad.domain are successful.
> >
> > Then please follow
> > https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
> >
>
> Jakub,
>
>   Thank you for the support thus far.  I have followed some suggestions in
> the sssd troubleshooting link you provided.  I am seeing these errors
> whenever I try to perform an operation that would lookup an AD user, e.g.
> id user@ad.domain.  I am performing the user lookups on the primary IPA
> server itself.
>

> *sssd.conf:*

>
> [domain/ipa.domain]
>
> debug_level = 10
>
> cache_credentials = True
>
> enumerate = False
>
> krb5_store_password_if_offline = True
>
> ipa_domain = ipa.domain
>
> id_provider = ipa
>
> auth_provider = ipa
>
> access_provider = ipa
>
> ipa_hostname = ipa01.ipa.domain
>
> chpass_provider = ipa
>
> ipa_server = _srv_
>
> ldap_tls_cacert = /etc/ipa/ca.crt
>
> [sssd]
>
> services = sudo, nss, ifp, pam, ssh, pac
>
> debug_level = 10
>
> domains = ipa.domain
>
> [nss]
>
> debug_level = 10
>
> [pam]
>
> debug_level = 10
>
> [sudo]
>
> debug_level = 10
>
> [autofs]
>
> debug_level = 10
>
> [ssh]
>
> debug_level = 10
>
> [pac]
>
> debug_level = 10
>
> [ifp]
>
> debug_level = 10
>
> [secrets]
>
> debug_level = 10
>

Are you sure it's the server itself? Because for one, I would expect to
see ipa_server_mode=True in sssd.conf and also ipa_server set to fqdn of
'self', not to _srv_.

Also the s2n exop failed messages make it look like the debug messages
are from a client.

Anyway, one thing to examine is:
> Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017)
> [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #49: Data Provider
> Error: 3, 5, Failed to get reply from Data Provider
>
> Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017)
> [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an
> error [org.freedesktop.sssd.Error.DataProvider.Offline]
>

This indicates a communication issue towards the server. You should look
for messages that say that 'a port is not working'.