Hi all, After a fresh install of FreeIPA 4.6.5-11.el7.centos.x86_64, fully updated from update repo on a CentOS7 x64 server, it appears that it is totally impossible to establish a trust with an AD running on local AD servers, we did it a few times ago with exactly the same distribution and had really no problem, we tried to completely reinstall the machine and the IPA wit always the same results, ipa: ERROR: CIFS server communication error: code "3221225506", message "{Access Denied} A process has requested access to an object but has not been granted those access rights." (both may be "None")
Could someone point me to the direction to look for, because we are going nuts on this ? We found some tips in the /var/log/httpd/errors, but nothing seems to provide sufficient infos... [Wed Oct 02 12:54:57.868830 2019] [:error] [pid 2036] ipa: INFO: [jsonserver_session] admin@DOMAIN.INTRA: trust_add/1(u'domain.intra', trust_type=u'ad', realm_admin=u'admin', realm_passwd=u'********', bidirectional=True, version=u'2.231'): RemoteRetrieveError The IPA server and the AD servers are in the same VLan with no firewall between them samba version on the IPA server is the latest available: 4.9.1-6.el7.noarch
Thanks for your help...
I forgot to precise that the user "admin" used has Domain Admin rights on the AD domain ! Thanks a lot for your attention.
On ke, 02 loka 2019, Bernard Lheureux via FreeIPA-users wrote:
Hi all, After a fresh install of FreeIPA 4.6.5-11.el7.centos.x86_64, fully updated from update repo on a CentOS7 x64 server, it appears that it is totally impossible to establish a trust with an AD running on local AD servers, we did it a few times ago with exactly the same distribution and had really no problem, we tried to completely reinstall the machine and the IPA wit always the same results, ipa: ERROR: CIFS server communication error: code "3221225506", message "{Access Denied} A process has requested access to an object but has not been granted those access rights." (both may be "None")
Could someone point me to the direction to look for, because we are going nuts on this ? We found some tips in the /var/log/httpd/errors, but nothing seems to provide sufficient infos... [Wed Oct 02 12:54:57.868830 2019] [:error] [pid 2036] ipa: INFO: [jsonserver_session] admin@DOMAIN.INTRA: trust_add/1(u'domain.intra', trust_type=u'ad', realm_admin=u'admin', realm_passwd=u'********', bidirectional=True, version=u'2.231'): RemoteRetrieveError The IPA server and the AD servers are in the same VLan with no firewall between them samba version on the IPA server is the latest available: 4.9.1-6.el7.noarch
Are you really adding a trust to AD forest named 'domain.intra' from IPA domain named 'domain.intra'? In the log above first argument to 'trust_add()' is your AD forest root domain. It cannot be the same as IPA domain itself which is visible in the authenticated user's principal.
You're right, my mistake, indeed the real names of the forest and and IPA domain are different forest is domain and ipadomain is ipa.domain.intra... Was a mistype from myself Here is a copy/paste, much better in that case...
the correct line is: [Wed Oct 02 12:54:57.868830 2019] [:error] [pid 2036] ipa: INFO: [jsonserver_session] admin@IPA.DOMAIN.INTRA: trust_add/1(u'domain.intra', trust_type=u'ad', realm_admin=u'admin', realm_passwd=u'********', bidirectional=True, version=u'2.231'): RemoteRetrieveError
On ke, 02 loka 2019, Bernard Lheureux via FreeIPA-users wrote:
You're right, my mistake, indeed the real names of the forest and and IPA domain are different forest is domain and ipadomain is ipa.domain.intra... Was a mistype from myself Here is a copy/paste, much better in that case...
the correct line is: [Wed Oct 02 12:54:57.868830 2019] [:error] [pid 2036] ipa: INFO: [jsonserver_session] admin@IPA.DOMAIN.INTRA: trust_add/1(u'domain.intra', trust_type=u'ad', realm_admin=u'admin', realm_passwd=u'********', bidirectional=True, version=u'2.231'): RemoteRetrieveError
Please follow https://access.redhat.com/solutions/2055943 to provide reasonable debug logs. Since they will contain trust domain object credentials, please send them to me directly.
I have the logs, how could I send them to you ?
Sent in private...
Hello,
I know the thread is old, but I have the same problem. Were you able to find a solution? Any help would be helpful. Thank you!
freeipa-users@lists.fedorahosted.org