Bug 1142694
| Summary: | unable to add trust by IPA web ui | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | abubackar siddique <abdullaha> | ||||
| Component: | ipa | Assignee: | Tomas Babej <tbabej> | ||||
| Status: | CLOSED NOTABUG | QA Contact: | Namita Soman <nsoman> | ||||
| Severity: | urgent | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 7.0 | CC: | abdullaha, mkosek, rcritten, tbabej | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2014-09-18 09:06:38 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
abubackar siddique
2014-09-17 08:36:57 UTC
Thanks for the bug report. Adding a trust via WebUI works fine on my instance. What version of IPA are you running? I tested with ipa-server-3.3.3-28.el7.x86_64. However, we will need more information to debug the issue. For starters, can you please have a look into /var/log/httpd/error_log, you will find a backtrace of this internal error there. You haven't specified the authorization way to create the trust - did you try to establish the trust using AD Administrative account or using pre-shared password? Also, for further debugging, please see http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Debugging_trust Created attachment 938461 [details]
/var/log/httpd/error_log
Hi
we are using virtual server for idm services (OS RHEL 7)
Domain controller windows server 2008
installed packages are in rhel 7
ipa-server, bind, bind-dyndb-ldap
getting error (IPA 903 an internal error has occured) while trying to add trust with Domain controller using relevant credential (Domain controller's).
Kindly expecting soonest solution since the job stucked which should handed over soon.
if required can take remote assistance also please
abubackar, we will try to help you and investigate your problem in a reasonable time. However, to further prioritize your request, get remote assistance or request 24h urgent support please file an official Customer Case via https://access.redhat.com/ where you should have access in case you own a RHEL subscription. It seems that the ID range entry from previous attempt to add the trust got corrupted somehow. The ID range should be called NES.PRD_id_range, can you please show us the contents of that LDAP entry? Running the following command should be enough (you need to kinit as admin first): ipa idrange-show NES.PRD_id_range --all --raw Additionaly, it seems that your IPA domain is the same as the AD domain (NES.PRD). This is not supported setup and can not work, as multiple SRV records will clash. You need to separate AD and IPA domains, e.g. use subdomains: AD: NES.PRD IPA: IPA.NES.PRD or parallel domains for IPA and AD: AD: NES.PRD IPA: IPA.PRD (In reply to Tomas Babej from comment #5) > It seems that the ID range entry from previous attempt to add the trust got > corrupted somehow. > > The ID range should be called NES.PRD_id_range, can you please show us the > contents of that LDAP entry? > > Running the following command should be enough (you need to kinit as admin > first): > > ipa idrange-show NES.PRD_id_range --all --raw Hi Babej please find the below lines which get as result with the above command dn: cn=NES.PRD_id_range,cn=ranges,cn=etc,dc=nes,dc=prd cn: NES.PRD_id_range ipaBaseID: 28800000 ipaBaseRID: 1000 ipaIDRangeSize: 200000 ipaRangeType: ipa-local ipaSecondaryBaseRID: 100000000 objectClass: top objectClass: ipaIDrange objectClass: ipaDomainIDRange Expecting your solution at the possible earlier Thanks in advance Thank you. I can see now that the reason for all your problems is that you have IPA deployed in the same domain as AD. As stated in Comment 6, you need to have separate domains (parallel or in subdomain relationship) for AD and IPA. This setup is not supported and will not work. You need to re-deploy your IPA infrastructure, so that your IPA is in different domain than NES.PRD. That said, it's true we should not fail with internal error in such scenario, but report a more sensible error. I opened a upstream ticket for improvement of the error message: https://fedorahosted.org/freeipa/ticket/4549 Agreed. See http://www.freeipa.org/page/Deployment_Recommendations#Active_Directory_Integration for more details about this and other deployment recommendations. |