Bug 1190566
Summary: | Manual IPA - AD Trust validation issue from AD | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Deepak Das <ddas> |
Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
Status: | CLOSED DUPLICATE | QA Contact: | Namita Soman <nsoman> |
Severity: | unspecified | Docs Contact: | |
Priority: | medium | ||
Version: | 7.0 | CC: | abokovoy, frenaud, mkosek, pasik, rcritten, sbose |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-10-19 13:46:32 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1420851 |
Description
Deepak Das
2015-02-09 07:20:19 UTC
CCign Alexander. But to me, this sounds like IPA DNS SRV records are not seen from AD. Hi Martin, As per check, IPA DNS records are fetched correctly from AD. Snapshot from AD server is given below. -------------------------------------------------------------------------------- PS C:\> nslookup Default Server: localhost Address: 127.0.0.1 > set type=srv > _ldap._tcp.ipadomain.com Server: localhost Address: 127.0.0.1 DNS request timed out. timeout was 2 seconds. Non-authoritative answer: _ldap._tcp.ipadomain.com SRV service location: priority = 0 weight = 100 port = 389 svr hostname = ipaserver.ipadomain.com ipaserver.ipadomain.com internet address = 192.168.122.2 > _kerberos._udp.ipadomain.com Server: localhost Address: 127.0.0.1 Non-authoritative answer: _kerberos._udp.ipadomain.com SRV service location: priority = 0 weight = 100 port = 88 svr hostname = ipaserver.ipadomain.com ipaserver.ipadomain.com internet address = 192.168.122.2 > _kerberos._tcp.ipadomain.com Server: localhost Address: 127.0.0.1 Non-authoritative answer: _kerberos._tcp.ipadomain.com SRV service location: priority = 0 weight = 100 port = 88 svr hostname = ipaserver.ipadomain.com ipaserver.ipadomain.com internet address = 192.168.122.2 > _kpasswd._udp.ipadomain.com Server: localhost Address: 127.0.0.1 Non-authoritative answer: _kpasswd._udp.ipadomain.com SRV service location: priority = 0 weight = 100 port = 464 svr hostname = ipaserver.ipadomain.com ipaserver.ipadomain.com internet address = 192.168.122.2 > _kpasswd._tcp.ipadomain.com Server: localhost Address: 127.0.0.1 Non-authoritative answer: _kpasswd._tcp.ipadomain.com SRV service location: priority = 0 weight = 100 port = 464 svr hostname = ipaserver.ipadomain.com ipaserver.ipadomain.com internet address = 192.168.122.2 -------------------------------------------------------------------------------- I took a look at the issue last week and compared an IPA version from RHEL-6.5 where validation is working with a current Fedora installation where validation fails as well. I found a failure in netr_ServerAuthenticate3() on Fedora which is not present in the working RHEL version. I'll try to dig deeper here. Right now we don't support validation via Windows UI. You are supposed to use IPA CLI: 'ipa trust-add ...' which will force validation as one of last steps. See also https://fedorahosted.org/freeipa/ticket/4114 You also need to be able to resolve SRV records in the _msdcs namespaces. (In reply to Sumit Bose from comment #4) > I found a failure in netr_ServerAuthenticate3() on Fedora which is not > present in the working RHEL version. I'll try to dig deeper here. (In reply to Alexander Bokovoy from comment #5) > Right now we don't support validation via Windows UI. You are supposed to > use IPA CLI: 'ipa trust-add ...' which will force validation as one of last > steps. Is there a bug to fix in IPA after all or rather not? There is a bug in either Samba proper or ipasam module that prevents us to allow validating from Windows side. We mitigate it by forcing validation from IPA side when adding trust with AD admin credentials. Linking to upstream ticket https://fedorahosted.org/freeipa/ticket/4114. This issue is a duplicate of BZ #1345975 [RFE] Support One-Way Trust authenticated by trust secret *** This bug has been marked as a duplicate of bug 1345975 *** |