Description of problem: I'm seeing failures on ipa trust-add. ipa: ERROR: CIFS server configuration does not allow access to \\pipe\lsarpc Version-Release number of selected component (if applicable): ipa-server-4.2.0-3.el7.x86_64 samba-4.2.3-4.el7.x86_64 How reproducible: always (at least in test Steps to Reproduce: 1. Setup IPA server 2. Configure DNS resolution between IPA and AD server. For test purposes, this means setup forwarders on IPA to AD and on AD to IPA. 3. ipa-adtrust-install 4. ipa trust-add Actual results: Fails with error above. Expected results: Adds trust Additional info: http error: [Sun Aug 02 18:41:23.236780 2015] [:error] [pid 27312] ipa: INFO: [jsonserver_kerb] admin: trust_add(u'adtest.qe', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', all=False, raw=False, version=u'2.147'): RemoteRetrieveError
I need samba logs -- set 'log level = 100' in /usr/share/ipa/smb.conf.empty and with 'net conf setparm global "log level" 100' before running the tests, then provide /var/log/samba/* and /var/log/httpd/error_log.
Additionally, please try if restarting IPA with 'ipactl restart' before establishing the trust does not resolve the issue.
'ipactl restart' is an expensive operation. It takes a long to restart some services. It might be a good workaround, but it should be fixed in different way.
FYI, I have tried adding ipactl restart after the ipa-adtrust-install. This didn't seem to change the outcome. I'm rerunning tests and capturing logs now. will post soon.
Created attachment 1058815 [details] debug logs for samba and httpd error_log
After looking at this with Andreas and Guenther, I think we need to change binding strings to use following scheme: ncacn_np:host[print] -- for SMB1 ncacn_np:host[smb2,print] -- for SMB@ Using ncacn_ip_tcp is probably not worth it as Samba's client side will try to uppercase 'host' value (cifs/foo.bar.z -> cifs/FOO.BAR.Z) and that one will fail against FreeIPA KDC.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/5183
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/ee377a20cd842f03ff263e21b00267732a9fe3dc https://fedorahosted.org/freeipa/changeset/c906784ded416eec70704a07e3923601fe509927 ipa-4-2: https://fedorahosted.org/freeipa/changeset/ef781ddc063bbd1d7a181c3c76d0aa0c4a757ff3 https://fedorahosted.org/freeipa/changeset/04bf609a449ce8a5b8108486b55b8cb88a2ce655
Verified. Version :: ipa-server-4.2.0-4.el7.x86_64 Results :: :: [ BEGIN ] :: Running 'echo Secret123 | ipa trust-add adtest.qe --admin Administrator --password' -------------------------------------------------- Added Active Directory trust for realm "adtest.qe" -------------------------------------------------- Realm name: adtest.qe Domain NetBIOS name: ADTEST Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879 SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18 SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18 Trust direction: Trusting forest Trust type: Active Directory domain Trust status: Established and verified :: [ PASS ] :: Command 'echo Secret123 | ipa trust-add adtest.qe --admin Administrator --password' (Expected 0, got 0)
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2362.html
Hi, I got the same error with ipa-server-4.2.0-15.el7.x86_64 samba-4.2.3-12.el7_2.x86_64 [Sun May 01 08:27:17.493412 2016] [:error] [pid 32267] ipa: INFO: [jsonserver_session] admin.NET: trust_add(u'examplemedia.net', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', all=False, raw=False, version=u'2.156'): RemoteRetrieveError [Sun May 01 08:35:00.600654 2016] [:error] [pid 32266] ipa: INFO: [jsonserver_session] admin.NET: trust_add(u'examplemedia.net', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', all=False, raw=False, version=u'2.156'): RemoteRetrieveError please help to double confirm it has been fixed.
RemoteRetrieveError is relatively general error. It might have a different root cause, see comment 3. If there is an issue I'd suggest to open a new BZ, this one won't be reopened.
According to the logs Matrix sent me, IPv6 is disabled at the kernel level. This is unsupported configuration, as both FreeIPA and Samba require IPv6 support enabled. For more details see http://www.freeipa.org/page/Active_Directory_trust_setup#IPv6_stack_usage
(In reply to Alexander Bokovoy from comment #16) > According to the logs Matrix sent me, IPv6 is disabled at the kernel level. > This is unsupported configuration, as both FreeIPA and Samba require IPv6 > support enabled. For more details see > http://www.freeipa.org/page/Active_Directory_trust_setup#IPv6_stack_usage It's very good that it's documented.but it might be even better to log a warning if ipv6 is disabled.