| Summary: | two-way trust-add fails intermittently | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Varun Mylaraiah <mvarun> | ||||||
| Component: | ipa | Assignee: | Martin Babinsky <mbabinsk> | ||||||
| Status: | CLOSED WORKSFORME | QA Contact: | Kaleem <ksiddiqu> | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 7.3 | CC: | abokovoy, mbabinsk, mvarun, pvoborni, rcritten | ||||||
| Target Milestone: | rc | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | x86_64 | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2017-01-12 13:48:42 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Attachments: |
|
||||||||
Created attachment 1225882 [details]
fail.txt
The error message gives a hint why it is failing:
"""
ipa: ERROR: AD DC was unable to reach any IPA domain controller. Most likely it is a DNS or firewall issue
"""
There is probably a DNS misconfiguration at AD side and it can not resolve IPA master SRV records.
You can get more info about the issue by adding `log level = 100` in /usr/share/ipa/sm.conf.empty after ipa-adtrust-install, re-starting smbd.service and looking into apache error log after trust-add.
You can also run nslookup on AD DC to resolve _ldap._tcp SRV records in IPA domain:
> nslookup.exe
> set type=srv
> _ldap._tcp.<IPA-REALM>
Bump Not able to reproduce this bug now. will reopen if it is reproduced again |
Created attachment 1225881 [details] pass.txt Description of problem: two-way trust-add fails intermittently, not sure what is the potential reason behind that. Version-Release number of selected component (if applicable): How reproducible: Every now and then, Not able to backtrack with proper reproduction steps. Important note: =============== Tried running automation scripts multiple times on the same AD environments with different beaker/local vm's and the results are not consistent. Please find the attached log's for both pass and fail results below. **Please note that, it is the same AD environment** Result logs: ============ 1. Passed ==> pass.txt 2. Failed ==> fail.txt Pass Result Snippet: ==================== :: [ BEGIN ] :: Running 'echo Secret123 | ipa trust-add adtest2.qe --admin Administrator --range-type=ipa-ad-trust --password --two-way=True' --------------------------------------------------- Added Active Directory trust for realm "adtest2.qe" --------------------------------------------------- Realm name: adtest2.qe Domain NetBIOS name: ADTEST2 Domain Security Identifier: S-1-5-21-1869981227-3608374679-2281468898 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified :: [ PASS ] :: Command 'echo Secret123 | ipa trust-add adtest2.qe --admin Administrator --range-type=ipa-ad-trust --password --two-way=True' (Expected 0, got 0) .... Fail Result Snippet: ===================== :: [ BEGIN ] :: Running 'echo Secret123 | ipa trust-add adtest2.qe --admin Administrator --range-type=ipa-ad-trust --password --two-way=True' ipa: ERROR: AD DC was unable to reach any IPA domain controller. Most likely it is a DNS or firewall issue :: [ FAIL ] :: Command 'echo Secret123 | ipa trust-add adtest2.qe --admin Administrator --range-type=ipa-ad-trust --password --two-way=True' (Expected 0, got 1)