Hide Forgot
Description of problem: When validating IPA domain trust from AD, following error is observed. ------------------------------------------------------------------------------ The secure channel (SC) verification on Active Directory Domain Controller \\adserver.addomain.com of domain addomain.com to domain ipadomain.com failed with error: Access is denied. The secure channel (SC) reset on Active Directory Domain Controller \\adserver.addomain.com of domain addomain.com to domain ipadomain.com failed with error: Access is denied. The secure channel (SC) verification on Active Directory Domain Controller \\ipaserver.ipadomain.com of domain ipadomain.com to domain addomain.com failed with error: The specified domain either does not exist or could not be contacted. The secure channel (SC) reset on Active Directory Domain Controller \\ipaserver.ipadomain.com of domain ipadomain.com to domain addomain.com failed with error: The specified domain either does not exist or could not be contacted. ------------------------------------------------------------------------------- Version-Release number of selected component (if applicable): ipa-server-trust-ad-3.3.3-28.el7_0.3.x86_64 ipa-server-3.3.3-28.el7_0.3.x86_64 How reproducible: Always Steps to Reproduce: 1) Create IPA - AD Trust. 2) Login into AD Server. 3) Open "Active Directory Domains and Trust" -> Right Click on AD Domain -> Properties -> Trusts -> Select the IPA Domain (Incoming/Outgoing) -> Properties -> Validate Actual results: Error is observed mentioned in the description. Expected results: Validation is succeed. Additional info:
CCign Alexander. But to me, this sounds like IPA DNS SRV records are not seen from AD.
Hi Martin, As per check, IPA DNS records are fetched correctly from AD. Snapshot from AD server is given below. -------------------------------------------------------------------------------- PS C:\> nslookup Default Server: localhost Address: 127.0.0.1 > set type=srv > _ldap._tcp.ipadomain.com Server: localhost Address: 127.0.0.1 DNS request timed out. timeout was 2 seconds. Non-authoritative answer: _ldap._tcp.ipadomain.com SRV service location: priority = 0 weight = 100 port = 389 svr hostname = ipaserver.ipadomain.com ipaserver.ipadomain.com internet address = 192.168.122.2 > _kerberos._udp.ipadomain.com Server: localhost Address: 127.0.0.1 Non-authoritative answer: _kerberos._udp.ipadomain.com SRV service location: priority = 0 weight = 100 port = 88 svr hostname = ipaserver.ipadomain.com ipaserver.ipadomain.com internet address = 192.168.122.2 > _kerberos._tcp.ipadomain.com Server: localhost Address: 127.0.0.1 Non-authoritative answer: _kerberos._tcp.ipadomain.com SRV service location: priority = 0 weight = 100 port = 88 svr hostname = ipaserver.ipadomain.com ipaserver.ipadomain.com internet address = 192.168.122.2 > _kpasswd._udp.ipadomain.com Server: localhost Address: 127.0.0.1 Non-authoritative answer: _kpasswd._udp.ipadomain.com SRV service location: priority = 0 weight = 100 port = 464 svr hostname = ipaserver.ipadomain.com ipaserver.ipadomain.com internet address = 192.168.122.2 > _kpasswd._tcp.ipadomain.com Server: localhost Address: 127.0.0.1 Non-authoritative answer: _kpasswd._tcp.ipadomain.com SRV service location: priority = 0 weight = 100 port = 464 svr hostname = ipaserver.ipadomain.com ipaserver.ipadomain.com internet address = 192.168.122.2 --------------------------------------------------------------------------------
I took a look at the issue last week and compared an IPA version from RHEL-6.5 where validation is working with a current Fedora installation where validation fails as well. I found a failure in netr_ServerAuthenticate3() on Fedora which is not present in the working RHEL version. I'll try to dig deeper here.
Right now we don't support validation via Windows UI. You are supposed to use IPA CLI: 'ipa trust-add ...' which will force validation as one of last steps. See also https://fedorahosted.org/freeipa/ticket/4114 You also need to be able to resolve SRV records in the _msdcs namespaces.
(In reply to Sumit Bose from comment #4) > I found a failure in netr_ServerAuthenticate3() on Fedora which is not > present in the working RHEL version. I'll try to dig deeper here. (In reply to Alexander Bokovoy from comment #5) > Right now we don't support validation via Windows UI. You are supposed to > use IPA CLI: 'ipa trust-add ...' which will force validation as one of last > steps. Is there a bug to fix in IPA after all or rather not?
There is a bug in either Samba proper or ipasam module that prevents us to allow validating from Windows side. We mitigate it by forcing validation from IPA side when adding trust with AD admin credentials.
Linking to upstream ticket https://fedorahosted.org/freeipa/ticket/4114.
This issue is a duplicate of BZ #1345975 [RFE] Support One-Way Trust authenticated by trust secret *** This bug has been marked as a duplicate of bug 1345975 ***