Hello everyone. I hoped I could ask for a little assistance on an AD / IPA
Trust.
I've for a Windows 2008R2 domain.
Response Type: LOGON_SAM_LOGON_RESPONSE_EX
GUID: e**********************6497
Flags:
Is a PDC: no
Is a GC of the forest: yes
Is an LDAP server: yes
Supports DS: yes
Is running a KDC: yes
Is running time services: yes
Is the closest DC: yes
Is writable: yes
Has a hardware clock: no
Is a non-domain NC serviced by LDAP server: no
Is NT6 DC that has some secrets: no
Is NT6 DC that has all secrets: yes
Runs Active Directory Web Services: yes
Runs on Windows 2012 or later: no
Forest: example.local
Domain: example.local
Domain Controller: CSAD1.example.local
Pre-Win2k Domain: example
Pre-Win2k Hostname: CSAD1
Server Site Name : Site1
Client Site Name : Site1
NT Version: 5
LMNT Token: ffff
LM20 Token: ffff
-----------------
IPA
ipa-server-4.4.0-14.el7
Domain =
lci.example.com
------------------
I start the process and DNS lookups are working.
[root@ipa-001 samba]# !872
dig SRV _ldap._tcp.example.local
; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.3 <<>> SRV
_ldap._tcp.example.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45828
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_ldap._tcp.example.local. IN SRV
;; ANSWER SECTION:
_ldap._tcp.example.local. 600 IN SRV 0 100 389 ac-ad4.example.local.
_ldap._tcp.example.local. 600 IN SRV 0 100 389 csad2.example.local.
_ldap._tcp.example.local. 600 IN SRV 0 100 389 csad1.example.local.
_ldap._tcp.example.local. 600 IN SRV 0 100 389 ac-ad3.example.local.
;; ADDITIONAL SECTION:
csad1.example.local. 3196 IN A 192.168.2.1
ac-ad4.example.local. 3196 IN A 192.168.2.4
ac-ad3.example.local. 3196 IN A 192.168.2.3
csad2.example.local. 3196 IN A 192.168.2.2
;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jun 09 19:50:34 UTC 2017
;; MSG SIZE rcvd: 290
[root@ipa-001 samba]# dig SRV _ldap._tcp.lci.example.local
; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.3 <<>> SRV
_ldap._tcp.lci.example.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64288
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_ldap._tcp.lci.example.local. IN SRV
;; ANSWER SECTION:
_ldap._tcp.lci.example.local. 86400 IN CNAME _ldap._tcp.atl._locations.lci.
example.local.
_ldap._tcp.atl._locations.lci.example.local. 86400 IN SRV 0 5 389
ipa-001.lci.example.local.
_ldap._tcp.atl._locations.lci.example.local. 86400 IN SRV 0 10 389
ipa-002.lci.example.local.
;; AUTHORITY SECTION:
lci.example.local. 86400 IN NS ipa-002.lci.example.local.
lci.example.local. 86400 IN NS ipa-001.lci.example.local.
;; ADDITIONAL SECTION:
ipa-001.lci.example.local. 1200 IN A 192.168.1.11
ipa-002.lci.example.local. 1200 IN A 192.168.1.12
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jun 09 19:50:40 UTC 2017
;; MSG SIZE rcvd: 272
[root@ipa-001 samba]#
--------------
My bound `ldapsearch` and `kinit` on both domains domain work well.
As I move onto testing the `trust-fetch-domains` area things go bad ( well
start to show they are ).
--------------
[root@ipa-001 samba]# ipa trust-fetch-domains example.local
------------------------------------------------------------
----------------------------
List of trust domains successfully refreshed. Use trustdomain-find command
to list them.
------------------------------------------------------------
----------------------------
----------------------------
Number of entries returned 0
----------------------------
[root@ipa-001 samba]# ipa trustdomain-find example.LOCAL
Domain name: example.local
Domain NetBIOS name: example
Domain Security Identifier: S-1-5-21-******-857828577-140568808
Domain enabled: True
----------------------------
Number of entries returned 1
----------------------------
Of course any movement from there on fails.
Using other posts I bumped up the logging and pulled out items that I
believe assist in this matter.
----------
log.winbindd-dc-connect: check_negative_conn_cache returning result 0 for
domain example.local server 192.168.2.3
log.winbindd-dc-connect: check_negative_conn_cache returning result
-1073741823 for domain example.local server 192.168.2.2
log.winbindd-dc-connect: check_negative_conn_cache returning result
-1073741823 for domain example.local server 192.168.2.4
log.winbindd-dc-connect: get_sorted_dc_list: attempting lookup for name
example.local (sitename NULL)
log.winbindd-dc-connect: saf_fetch: failed to find server for
"example.local" domain
log.winbindd-dc-connect: internal_resolve_name: looking up
example.local#1c (sitename (null))
log.winbindd-dc-connect: name example.local#1C found.
log.winbindd-dc-connect: check_negative_conn_cache returning result
-1073741823 for domain example.local server 192.168.2.1
log.winbindd-dc-connect: Adding cache entry with
key=[NEG_CONN_CACHE/example.local,192.168.2.3] and timeout=[Thu Jan 1
12:00:00 AM 1970 UTC] (-1497038264 seconds in the past)
log.winbindd-dc-connect: check_negative_conn_cache returning result 0 for
domain example.local server 192.168.2.3
log.winbindd-dc-connect: check_negative_conn_cache returning result
-1073741823 for domain example.local server 192.168.2.2
log.winbindd-dc-connect: check_negative_conn_cache returning result
-1073741823 for domain example.local server 192.168.2.4
log.winbindd-dc-connect: get_sorted_dc_list: attempting lookup for name
example.local (sitename NULL)
log.winbindd-dc-connect: saf_fetch: failed to find server for
"example.local" domain
log.winbindd-dc-connect: internal_resolve_name: looking up
example.local#1c (sitename (null))
log.winbindd-dc-connect: name example.local#1C found.
log.winbindd-dc-connect: check_negative_conn_cache returning result
-1073741823 for domain example.local server 192.168.2.1
log.winbindd-dc-connect: Adding cache entry with
key=[NEG_CONN_CACHE/example.local,192.168.2.3] and timeout=[Thu Jan 1
12:00:00 AM 1970 UTC] (-1497038340 seconds in the past)
log.winbindd-dc-connect: check_negative_conn_cache returning result 0 for
domain example.local server 192.168.2.3
log.winbindd-dc-connect: check_negative_conn_cache returning result
-1073741823 for domain example.local server 192.168.2.2
log.winbindd-dc-connect: check_negative_conn_cache returning result
-1073741823 for domain example.local server 192.168.2.4
log.winbindd-idmap: pdb_init_ipasam: support for pdb_enum_upn_suffixes
enabled for domain lci.example.local
-------------------
I see in the logs the timeouts however I thought they appeared to conflict
with the ability to `net ads lookup`.
Any assistance on this would be appreciated a great deal. Thank you so
much for your time and looking at this.