-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/15/2013 10:03 AM, Dale Macartney wrote: > > > On 03/15/2013 09:52 AM, Sumit Bose wrote: > > On Fri, Mar 15, 2013 at 09:38:04AM +0000, Dale Macartney wrote: > >> > > Morning all > > > I have setup the domain trust set up and have errors when trying to map > > groups from AD to IPA > > > Environment is IPA 3.0 on RHEL 6.4 and Windows 2012 > > > When adding groups, I get the following. > > > [root@ds01 ~]# ipa group-add --desc='Active Directory Domain Admins > > external map' domain_admins_map --external > > [root@ds01 ~]# ipa group-add-member domain_admins_map --external > > 'NT\Domain Admins' > > [member user]: > > [member group]: > > ipa: ERROR: cannot connect to > > u'https://ds01.example.com/ipa/session/xml': Internal Server Error > > [root@ds01 ~]# > > > When the above error occurs I see the following in /var/log/httpd/error_log > > > ==> /var/log/httpd/error_log <== > > [Fri Mar 15 09:35:15 2013] [error] ipa: ERROR: release_ipa_ccache: > > ccache_name (FILE:/var/run/ipa_memcached/krbcc_5374) != KRB5CCNAME > > environment variable (/var/run/ipa_memcached/krbcc_TDN) > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] mod_wsgi > > (pid=5374): Exception occurred processing WSGI script > > '/usr/share/ipa/wsgi.py'. > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] Traceback (most > > recent call last): > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File > > "/usr/share/ipa/wsgi.py", line 49, in application > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return > > api.Backend.wsgi_dispatch(environ, start_response) > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File > > "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 248, in > > __call__ > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return > > self.route(environ, start_response) > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File > > "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 260, in > > route > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return > > app(environ, start_response) > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File > > "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 1193, in > > __call__ > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] response = > > super(xmlserver_session, self).__call__(environ, start_response) > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File > > "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 709, in > > __call__ > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] response = > > super(xmlserver, self).__call__(environ, start_response) > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File > > "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 375, in > > __call__ > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] response = > > self.wsgi_execute(environ) > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File > > "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 334, in > > wsgi_execute > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] result = > > self.Command[name](*args, **options) > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File > > "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 435, in __call__ > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] ret = > > self.run(*args, **options) > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File > > "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 747, in run > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return > > self.execute(*args, **options) > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File > > "/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py", line > > 1590, in execute > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] **options) > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File > > "/usr/lib/python2.6/site-packages/ipalib/plugins/group.py", line 387, in > > post_callback > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] actual_sid = > > domain_validator.get_sid_trusted_domain_object(sid) > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File > > "/usr/lib/python2.6/site-packages/ipaserver/dcerpc.py", line 212, in > > get_sid_trusted_domain_object > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] entry = > > self.resolve_against_gc(domain, components['name']) > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File > > "/usr/lib/python2.6/site-packages/ipaserver/dcerpc.py", line 285, in > > resolve_against_gc > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] entry = > > self.__resolve_against_gc(info, host, port, name) > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File > > "/usr/lib/python2.6/site-packages/ipaserver/dcerpc.py", line 315, in > > __resolve_against_gc > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] > > conn.sasl_interactive_bind_s(None, sasl_auth) > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File > > "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", line 566, > > in sasl_interactive_bind_s > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return > > self.conn.sasl_interactive_bind_s(who, auth, serverctrls, clientctrls, > > sasl_flags) > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File > > "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 227, in > > sasl_interactive_bind_s > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return > > self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,EncodeControlTuples(serverctrls),EncodeControlTuples(clientctrls),sasl_flags) > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File > > "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 96, in > > _ldap_call > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] result = > > func(*args,**kwargs) > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] LOCAL_ERROR: > > {'info': 'SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > > failure. Minor code may provide more information (Server > > ldap/[email protected] not found in Kerberos database)', > > 'desc': 'Local error'} > > > > Lokks like your AD domain is DNS-wise a subdomain of the FreeIPA domain > > > example.dom. Please try to add something like > > > > .nt.example.com = NT.EXAMPLE.COM > > > nt.example.com = NT.EXAMPLE.COM > > > > to the [domain_realm] section in /etc/krb5.conf. SSSD should have > > > created an include file with this information, but due to some errors it > > > is not read in the 6.4 version. > > > > HTH > > > > bye, > > > Sumit > No joy unfortunately mate. I tried adding it to both the ipa server and the member server but still no change. logs are still appearing as before. > > Dale Looks like I spoke to soon. I tried again about 10 seconds later and now it works. Thanks for the suggestion :-) > > > > > Just to clarify, iptables has been flushed and selinux is currently > > permissive. Running latest patches from RHN as of 2013/03/14 > > > Any thoughts? > > > Dale > > >> > >> _______________________________________________ > >> Freeipa-users mailing list > >> [email protected] > >> https://www.redhat.com/mailman/listinfo/freeipa-users > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJRQvKQAAoJEAJsWS61tB+qiiQP/iu1Ox3v2C0eD1WE4iV1GyCd aLxD7snyWyZagi73mDhu+IjfWMPP91uzSm40dl3lLynWtyToEa/B0frgDrdW2InC YbRPgUX2aZhXm+rQYY6w3rpfbosplh0xSfFGxURAwIKe1iBS19b9FbVblLe/KiQ/ ipIWL5z3OtkCgsU0EFu6vE8c3YaXyMaKIt1wIcH4Q7s01mys+05FgtO7LFuR9oqQ EZ3pxR/9U0ePw7Vs48jaqIbFrcTbPXU6xuuQ68Osqgh6HLZyGcdwi3XROb96gZfr uWLkn2afK0UbFzd/aMOD5pYAUdf9UQRca1YAEhTsgwPaGZ1QVgi2bCmfd7CHYnFp Pzw2JXWBnxekrj90k6k8+b1fk6J5TyWtkANbi5r2y0p2RLSEhRj46iF9/1R/dBG+ mk5xE3qeIpn6UoOS6p5b/N93FL5G1LH7qQdLFZOY1Ix8dDEqQ9t/n4j9GWYRLdmA +DPL/jT42I9m7lN7D0Xp46gK2dqZoVB2Nov+N/0v8dNmSgWOFlMiacKveKtXuipz uxy25wsO7Q4MUZR0td8rg9rdaJ0zeGSpAIj1nxKz548J0CzsHP4Kf2njmvbN/ipT 0z+oTDYH0zypfmj6XraOXASeO7ms1xBE5VFti4rUG07/l4dpOFta8PXXxknRXwQG PQMqSseF3vUah633WwOp =dlMX -----END PGP SIGNATURE-----
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
