I encountered an issue when establishing bidirectional trusts with Windows Server 2008R2. I understand that the problem lies in the absence of the SMB3 protocol on WS2008R2. I am using IdM 4.11.3, Samba 4.21.4, and krb 1.21.3. Previously, with IdM 4.8.10, everything worked fine. I believe that support (perhaps unintentionally) was removed in this issue: https://pagure.io/freeipa/issue/8655. Is it possible to restore support for Windows Server 2008[R2]? Would this require editing the source code? Thank you!
some logs: user@smbsrv-5469:~$ sudo ipa trust-add --type=ad ad08.loc --admin admin --two-way=true --server="ws08.ad08.loc" ipa: DEBUG: Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' ipa: DEBUG: Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' ipa: DEBUG: Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' ipa: DEBUG: found session_cookie in persistent storage for principal '[email protected]', cookie: 'ipa_session=MagBearerToken=l9tVLQ3y8uJGRbC45ZjsQGa6NRETDinmykmQxBBipz3PX7KBX7413TpUbvKeQ2ytkkeIgcOf3oWQQm%2bLzDVoVBuHJ8jaOET4M3Kkbcw3QBib1rVlfTmp0CdmD%2fCVoki4SyGPPvXrKzt%2bK2rvfvDQTqgpn8PRkwcJo26eyiDVRaKzapB9LNNBfISWXjgVkpU9vukMyGNt2cO1PffVUb5WVg%3d%3d' ipa: DEBUG: setting session_cookie into context 'ipa_session=MagBearerToken=l9tVLQ3y8uJGRbC45ZjsQGa6NRETDinmykmQxBBipz3PX7KBX7413TpUbvKeQ2ytkkeIgcOf3oWQQm%2bLzDVoVBuHJ8jaOET4M3Kkbcw3QBib1rVlfTmp0CdmD%2fCVoki4SyGPPvXrKzt%2bK2rvfvDQTqgpn8PRkwcJo26eyiDVRaKzapB9LNNBfISWXjgVkpU9vukMyGNt2cO1PffVUb5WVg%3d%3d;' ipa: DEBUG: trying https://smbsrv-5469.ipadomain.loc/ipa/session/json ipa: DEBUG: Created connection context.rpcclient_139867778850192 ipa: DEBUG: [try 1]: Forwarding 'schema' to json server 'https://smbsrv-5469.ipadomain.loc/ipa/session/json' ipa: DEBUG: New HTTP connection (smbsrv-5469.ipadomain.loc) ipa: DEBUG: Destroyed connection context.rpcclient_139867778850192 ipa: DEBUG: importing all plugin modules in ipaclient.remote_plugins.schema$9e2b15b0... ipa: DEBUG: importing plugin module ipaclient.remote_plugins.schema$9e2b15b0.plugins ipa: DEBUG: importing all plugin modules in ipaclient.plugins... ipa: DEBUG: importing plugin module ipaclient.plugins.automember ipa: DEBUG: importing plugin module ipaclient.plugins.automount ipa: DEBUG: importing plugin module ipaclient.plugins.baseuser ipa: DEBUG: ipaclient.plugins.baseuser is not a valid plugin module ipa: DEBUG: importing plugin module ipaclient.plugins.ca ipa: DEBUG: importing plugin module ipaclient.plugins.cert ipa: DEBUG: importing plugin module ipaclient.plugins.certmap ipa: DEBUG: importing plugin module ipaclient.plugins.certprofile ipa: DEBUG: importing plugin module ipaclient.plugins.dns ipa: DEBUG: importing plugin module ipaclient.plugins.hbacrule ipa: DEBUG: importing plugin module ipaclient.plugins.hbactest ipa: DEBUG: importing plugin module ipaclient.plugins.host ipa: DEBUG: importing plugin module ipaclient.plugins.idrange ipa: DEBUG: importing plugin module ipaclient.plugins.internal ipa: DEBUG: importing plugin module ipaclient.plugins.location ipa: DEBUG: importing plugin module ipaclient.plugins.migration ipa: DEBUG: importing plugin module ipaclient.plugins.misc ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken_yubikey ipa: DEBUG: importing plugin module ipaclient.plugins.passwd ipa: DEBUG: importing plugin module ipaclient.plugins.permission ipa: DEBUG: importing plugin module ipaclient.plugins.rpcclient ipa: DEBUG: importing plugin module ipaclient.plugins.server ipa: DEBUG: importing plugin module ipaclient.plugins.service ipa: DEBUG: importing plugin module ipaclient.plugins.stageuser ipa: DEBUG: importing plugin module ipaclient.plugins.sudorule ipa: DEBUG: importing plugin module ipaclient.plugins.topology ipa: DEBUG: importing plugin module ipaclient.plugins.trust ipa: DEBUG: importing plugin module ipaclient.plugins.user ipa: DEBUG: importing plugin module ipaclient.plugins.vault ipa: DEBUG: found session_cookie in persistent storage for principal '[email protected]', cookie: 'ipa_session=MagBearerToken=l9tVLQ3y8uJGRbC45ZjsQGa6NRETDinmykmQxBBipz3PX7KBX7413TpUbvKeQ2ytkkeIgcOf3oWQQm%2bLzDVoVBuHJ8jaOET4M3Kkbcw3QBib1rVlfTmp0CdmD%2fCVoki4SyGPPvXrKzt%2bK2rvfvDQTqgpn8PRkwcJo26eyiDVRaKzapB9LNNBfISWXjgVkpU9vukMyGNt2cO1PffVUb5WVg%3d%3d' ipa: DEBUG: setting session_cookie into context 'ipa_session=MagBearerToken=l9tVLQ3y8uJGRbC45ZjsQGa6NRETDinmykmQxBBipz3PX7KBX7413TpUbvKeQ2ytkkeIgcOf3oWQQm%2bLzDVoVBuHJ8jaOET4M3Kkbcw3QBib1rVlfTmp0CdmD%2fCVoki4SyGPPvXrKzt%2bK2rvfvDQTqgpn8PRkwcJo26eyiDVRaKzapB9LNNBfISWXjgVkpU9vukMyGNt2cO1PffVUb5WVg%3d%3d;' ipa: DEBUG: trying https://smbsrv-5469.ipadomain.loc/ipa/session/json ipa: DEBUG: Created connection context.rpcclient_139867761752912 Active Directory domain administrator's password: ipa: DEBUG: raw: trust_add('ad08.loc', trust_type='ad', realm_admin='admin', realm_passwd='********', realm_server='ws08.ad08.loc', bidirectional='true', version='2.254') ipa: DEBUG: trust_add('ad08.loc', trust_type='ad', realm_admin='admin', realm_passwd='********', realm_server='ws08.ad08.loc', bidirectional=True, version='2.254') ipa: DEBUG: [try 1]: Forwarding 'trust_add/1' to json server 'https://smbsrv-5469.ipadomain.loc/ipa/session/json' ipa: DEBUG: New HTTP connection (smbsrv-5469.ipadomain.loc) ipa: DEBUG: Destroyed connection context.rpcclient_139867761752912 ipa: ERROR: CIFS server communication error: code "3221225659", message "The request is not supported." (both may be "None") apache log: [Tue Mar 18 12:26:34.449581 2025] [:warn] [pid 9858:tid 9858] [client 10.192.5.206:36536] failed to set perms (3140) on file (/run/ipa/ccaches/[email protected])!, referer: https://smbsrv-5469.ipadomain.loc/ipa/xml [Tue Mar 18 12:26:34.451803 2025] [wsgi:error] [pid 9857:tid 9939] [remote 10.192.5.206:36536] ipa: DEBUG: WSGI wsgi_dispatch.__call__: [Tue Mar 18 12:26:34.452210 2025] [wsgi:error] [pid 9857:tid 9939] [remote 10.192.5.206:36536] ipa: DEBUG: WSGI jsonserver_session.__call__: [Tue Mar 18 12:26:34.452535 2025] [wsgi:error] [pid 9857:tid 9939] [remote 10.192.5.206:36536] ipa: DEBUG: Valid Referer https://smbsrv-5469.ipadomain.loc/ipa/xml [Tue Mar 18 12:26:34.478058 2025] [wsgi:error] [pid 9857:tid 9939] [remote 10.192.5.206:36536] ipa: DEBUG: Created connection context.ldap2_129890538223184 [Tue Mar 18 12:26:34.478183 2025] [wsgi:error] [pid 9857:tid 9939] [remote 10.192.5.206:36536] ipa: DEBUG: WSGI jsonserver.__call__: [Tue Mar 18 12:26:34.478242 2025] [wsgi:error] [pid 9857:tid 9939] [remote 10.192.5.206:36536] ipa: DEBUG: WSGI WSGIExecutioner.__call__: [Tue Mar 18 12:26:34.479236 2025] [wsgi:error] [pid 9857:tid 9939] [remote 10.192.5.206:36536] ipa: DEBUG: raw: trust_add('ad08.loc', trust_type='ad', realm_admin='admin', realm_passwd='********', realm_server='ws08.ad08.loc', bidirectional=True, version='2.254') [Tue Mar 18 12:26:34.479548 2025] [wsgi:error] [pid 9857:tid 9939] [remote 10.192.5.206:36536] ipa: DEBUG: trust_add('ad08.loc', trust_type='ad', realm_admin='admin', realm_passwd='********', realm_server='ws08.ad08.loc', bidirectional=True, all=False, raw=False, version='2.254') [Tue Mar 18 12:26:34.480484 2025] [wsgi:error] [pid 9857:tid 9939] [remote 10.192.5.206:36536] ipa: DEBUG: raw: adtrust_is_enabled(version='2.254') [Tue Mar 18 12:26:34.480637 2025] [wsgi:error] [pid 9857:tid 9939] [remote 10.192.5.206:36536] ipa: DEBUG: adtrust_is_enabled(version='2.254') smb2_connect_enc_start: Encryption required and server doesn't support SMB3 encryption - failing connect [Tue Mar 18 12:26:34.546554 2025] [wsgi:error] [pid 9857:tid 9939] [remote 10.192.5.206:36536] ipa: DEBUG: WSGI wsgi_execute PublicError: Traceback (most recent call last): [Tue Mar 18 12:26:34.546626 2025] [wsgi:error] [pid 9857:tid 9939] [remote 10.192.5.206:36536] File "/usr/lib/python3/dist-packages/ipaserver/dcerpc.py", line 863, in __gen_lsa_connection [Tue Mar 18 12:26:34.546641 2025] [wsgi:error] [pid 9857:tid 9939] [remote 10.192.5.206:36536] result = lsa.lsarpc(binding, self.parm, self.creds) [Tue Mar 18 12:26:34.546653 2025] [wsgi:error] [pid 9857:tid 9939] [remote 10.192.5.206:36536] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ [Tue Mar 18 12:26:34.546663 2025] [wsgi:error] [pid 9857:tid 9939] [remote 10.192.5.206:36536] samba.NTSTATUSError: (3221225659, 'The request is not supported.') [Tue Mar 18 12:26:34.546676 2025] [wsgi:error] [pid 9857:tid 9939] [remote 10.192.5.206:36536] [Tue Mar 18 12:26:34.546685 2025] [wsgi:error] [pid 9857:tid 9939] [remote 10.192.5.206:36536] During handling of the above exception, another exception occurred: [Tue Mar 18 12:26:34.546693 2025] [wsgi:error] [pid 9857:tid 9939] [remote 10.192.5.206:36536] [Tue Mar 18 12:26:34.546701 2025] [wsgi:error] [pid 9857:tid 9939] [remote 10.192.5.206:36536] Traceback (most recent call last): [Tue Mar 18 12:26:34.546708 2025] [wsgi:error] [pid 9857:tid 9939] [remote 10.192.5.206:36536] File "/usr/lib/python3/dist-packages/ipaserver/rpcserver.py", line 417, in wsgi_execute [Tue Mar 18 12:26:34.546716 2025] [wsgi:error] [pid 9857:tid 9939] [remote 10.192.5.206:36536] result = command(*args, **options) [Tue Mar 18 12:26:34.546724 2025] [wsgi:error] [pid 9857:tid 9939] [remote 10.192.5.206:36536] ^^^^^^^^^^^^^^^^^^^^^^^^^ [Tue Mar 18 12:26:34.546731 2025] [wsgi:error] [pid 9857:tid 9939] [remote 10.192.5.206:36536] File "/usr/lib/python3/dist-packages/ipalib/frontend.py", line 477, in __call__ [Tue Mar 18 12:26:34.546739 2025] [wsgi:error] [pid 9857:tid 9939] [remote 10.192.5.206:36536] return self.__do_call(*args, **options) [Tue Mar 18 12:26:34.546746 2025] [wsgi:error] [pid 9857:tid 9939] [remote 10.192.5.206:36536] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ [Tue Mar 18 12:26:34.546754 2025] [wsgi:error] [pid 9857:tid 9939] [remote 10.192.5.206:36536] File "/usr/lib/python3/dist-packages/ipalib/frontend.py", line 544, in __do_call [Tue Mar 18 12:26:34.546762 2025] [wsgi:error] [pid 9857:tid 9939] [remote 10.192.5.206:36536] ret = self.run(*args, **options) [Tue Mar 18 12:26:34.546769 2025] [wsgi:error] [pid 9857:tid 9939] [remote 10.192.5.206:36536] ^^^^^^^^^^^^^^^^^^^^^^^^^^ [Tue Mar 18 12:26:34.546776 2025] [wsgi:error] [pid 9857:tid 9939] [remote 10.192.5.206:36536] File "/usr/lib/python3/dist-packages/ipalib/frontend.py", line 885, in run [Tue Mar 18 12:26:34.546784 2025] [wsgi:error] [pid 9857:tid 9939] [remote 10.192.5.206:36536] return self.execute(*args, **options) [Tue Mar 18 12:26:34.546792 2025] [wsgi:error] [pid 9857:tid 9939] [remote 10.192.5.206:36536] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ [Tue Mar 18 12:26:34.546799 2025] [wsgi:error] [pid 9857:tid 9939] [remote 10.192.5.206:36536] File "/usr/lib/python3/dist-packages/ipaserver/plugins/trust.py", line 767, in execute [Tue Mar 18 12:26:34.546816 2025] [wsgi:error] [pid 9857:tid 9939] [remote 10.192.5.206:36536] full_join = self.validate_options(*keys, **options) [Tue Mar 18 12:26:34.546824 2025] [wsgi:error] [pid 9857:tid 9939] [remote 10.192.5.206:36536] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ [Tue Mar 18 12:26:34.546832 2025] [wsgi:error] [pid 9857:tid 9939] [remote 10.192.5.206:36536] File "/usr/lib/python3/dist-packages/ipaserver/plugins/trust.py", line 876, in validate_options [Tue Mar 18 12:26:34.546840 2025] [wsgi:error] [pid 9857:tid 9939] [remote 10.192.5.206:36536] self.trustinstance = ipaserver.dcerpc.TrustDomainJoins(self.api) [Tue Mar 18 12:26:34.546848 2025] [wsgi:error] [pid 9857:tid 9939] [remote 10.192.5.206:36536] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ [Tue Mar 18 12:26:34.546856 2025] [wsgi:error] [pid 9857:tid 9939] [remote 10.192.5.206:36536] File "/usr/lib/python3/dist-packages/ipaserver/dcerpc.py", line 1744, in __init__ [Tue Mar 18 12:26:34.546865 2025] [wsgi:error] [pid 9857:tid 9939] [remote 10.192.5.206:36536] self.__populate_local_domain() [Tue Mar 18 12:26:34.546872 2025] [wsgi:error] [pid 9857:tid 9939] [remote 10.192.5.206:36536] File "/usr/lib/python3/dist-packages/ipaserver/dcerpc.py", line 1758, in __populate_local_domain [Tue Mar 18 12:26:34.546880 2025] [wsgi:error] [pid 9857:tid 9939] [remote 10.192.5.206:36536] ld.retrieve(FQDN) [Tue Mar 18 12:26:34.546888 2025] [wsgi:error] [pid 9857:tid 9939] [remote 10.192.5.206:36536] File "/usr/lib/python3/dist-packages/ipaserver/dcerpc.py", line 993, in retrieve [Tue Mar 18 12:26:34.546896 2025] [wsgi:error] [pid 9857:tid 9939] [remote 10.192.5.206:36536] self.init_lsa_pipe(remote_host) [Tue Mar 18 12:26:34.546904 2025] [wsgi:error] [pid 9857:tid 9939] [remote 10.192.5.206:36536] File "/usr/lib/python3/dist-packages/ipaserver/dcerpc.py", line 887, in init_lsa_pipe [Tue Mar 18 12:26:34.546912 2025] [wsgi:error] [pid 9857:tid 9939] [remote 10.192.5.206:36536] self._pipe = self.__gen_lsa_connection(binding) [Tue Mar 18 12:26:34.546920 2025] [wsgi:error] [pid 9857:tid 9939] [remote 10.192.5.206:36536] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ [Tue Mar 18 12:26:34.546928 2025] [wsgi:error] [pid 9857:tid 9939] [remote 10.192.5.206:36536] File "/usr/lib/python3/dist-packages/ipaserver/dcerpc.py", line 866, in __gen_lsa_connection [Tue Mar 18 12:26:34.546936 2025] [wsgi:error] [pid 9857:tid 9939] [remote 10.192.5.206:36536] raise assess_dcerpc_error(e) [Tue Mar 18 12:26:34.546987 2025] [wsgi:error] [pid 9857:tid 9939] [remote 10.192.5.206:36536] ipalib.errors.RemoteRetrieveError: CIFS server communication error: code "3221225659", message "The request is not supported." (both may be "None") [Tue Mar 18 12:26:34.547015 2025] [wsgi:error] [pid 9857:tid 9939] [remote 10.192.5.206:36536] [Tue Mar 18 12:26:34.547295 2025] [wsgi:error] [pid 9857:tid 9939] [remote 10.192.5.206:36536] ipa: INFO: [jsonserver_session] [email protected]: trust_add/1('ad08.loc', trust_type='ad', realm_admin='admin', realm_passwd='********', realm_server='ws08.ad08.loc', bidirectional=True, version='2.254'): RemoteRetrieveError [Tue Mar 18 12:26:34.547389 2025] [wsgi:error] [pid 9857:tid 9939] [remote 10.192.5.206:36536] ipa: DEBUG: [jsonserver_session] [email protected]: trust_add/1('ad08.loc', trust_type='ad', realm_admin='admin', realm_passwd='********', realm_server='ws08.ad08.loc', bidirectional=True, version='2.254'): RemoteRetrieveError etime=68925081 [Tue Mar 18 12:26:34.548325 2025] [wsgi:error] [pid 9857:tid 9939] [remote 10.192.5.206:36536] ipa: DEBUG: Destroyed connection context.ldap2_129890538223184 -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
