[Freeipa-users] Firewalld rules to allow AD Join

McEvoy, James Fri, 20 Mar 2015 14:07:17 -0700

Hi FreeIPA Users:

I can only get my new Fedora 21 freeipa to server to setup a trust with Active 
Directory if I turn off the firewall on the ipa server.   I have looked through 
all the doc on which ports to open but have had no luck getting the join to 
work with firewalld running...  Can someone tell me what firewalld is blocking 
on me?


  --jim

These are my open services:

        # firewall-cmd --zone=public --list-all
        public (default)
        interfaces: 
        sources: 
        services: dhcpv6-client dns freeipa-ldap freeipa-ldaps http https 
kerberos kpasswd ldap ldaps mdns ntp samba ssh
        ports: 
        masquerade: no
        forward-ports: 
        icmp-blocks:

[root@ipa ~]#  ipa trust-add ENAS.NET --type=ad --admin=Administrator --password
Active Directory domain administrator's password: 
ipa: ERROR: AD DC was unable to reach any IPA domain controller. Most likely it 
is a DNS or firewall issue

As soon as I turn off the firewall it works:

[root@ipa ~]# systemctl stop firewalld
[root@ipa ~]#  ipa trust-add ENAS.NET --type=ad --admin=Administrator --password
Active Directory domain administrator's password: 
-----------------------------------------
Re-established trust to domain "enas.net"
-----------------------------------------
  Realm name: enas.net
  Domain NetBIOS name: ENAS
  Domain Security Identifier: S-1-5-21-1497210546-3194758708-3931123408
  SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, 
S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8,
                          S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, 
S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2,
                          S-1-1, S-1-0, S-1-5-19, S-1-5-18
  SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, 
S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8,
                          S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, 
S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2,
                          S-1-1, S-1-0, S-1-5-19, S-1-5-18
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified


The only error the I have found is in the samba logs where lsasd has the 
following:

[2015/03/19 18:19:22.792043,  1] ipa_sam.c:1671(search_krb_princ)
  get_trusted_domain_int: no object found with filter 
'krbPrincipalName=krbtgt/[email protected]'.
[2015/03/19 18:19:23.080328,  1] ipa_sam.c:1671(search_krb_princ)
  get_trusted_domain_int: no object found with filter 
'krbPrincipalName=krbtgt/[email protected]'.


and winbindd-imap has this in it:

[2015/03/20 14:21:14.966125,  1] 
../source3/winbindd/idmap.c:202(idmap_init_domain)
  idmap range not specified for domain *
[2015/03/20 14:21:14.968671,  1] 
../source3/winbindd/idmap.c:202(idmap_init_domain)
  idmap range not specified for domain *



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Firewalld rules to allow AD Join

Reply via email to