I've been working on an AD trust with our freeipa servers but have run into some of the same issues others have had. It's well documented here however I feel I've mitigated these - https://bugzilla.redhat.com/show_bug.cgi?id=1219832
Freeipa Servers are Fedora 22 / freeipa-server-4.2.0 The Samba version i'm on is well past the patched version. It seems the patch is in samba-4.2.1-7.fc22 and I'm on samba-4.2.3-0 (assuming the patch is in this version). I run # echo Password123 | ipa trust-add --type=ad ad.example.com --trust-secret ipa: ERROR: CIFS server configuration does not allow access to \\pipe\lsarpc I've been using "http://www.freeipa.org/page/Active_Directory_trust_setup"; as a guide. Our only domains are - EXAMPLE.COM (web pages only) --- LX.EXAMPLE.COM ( IPA ) --- AD.EXAMPLE.COM ( Active Directory ) My configuration is on separate domains. AD.EXAMPLE.COM is for Active Directory and forwards all DNS to IPA ( LX.EXAMPLE.COM ) and those network requests then forward to the internet. Our AD is only to provide GPOs to desktops, everything else is run off IPA. I've run through the 'ipa-adtrust-install' but to no avail; after running through that is when I get the CIFS error. I've made the network guys prove to me the ports are open. I've actually seen a permit any any on the network gear, dropped the firewalls on AD and IPA and moved to permissive mode for testing. All of this to just check off the troubleshooting boxes. NTP is good, everyone is pointed to the internal and are UTC. I'm sure I've forgotten something, thanks to everyone for reading this. Really appreciate it. My versions are listed below - freeipa-admintools-4.2.0-0.fc22.x86_64 freeipa-client-4.2.0-0.fc22.x86_64 freeipa-python-4.2.0-0.fc22.x86_64 freeipa-server-4.2.0-0.fc22.x86_64 freeipa-server-trust-ad-4.2.0-0.fc22.x86_64 samba-4.2.3-0.fc22.x86_64 samba-client-4.2.3-0.fc22.x86_64 samba-client-libs-4.2.3-0.fc22.x86_64 samba-common-4.2.3-0.fc22.noarch samba-common-libs-4.2.3-0.fc22.x86_64 samba-common-tools-4.2.3-0.fc22.x86_64 samba-dc-4.2.3-0.fc22.x86_64 samba-dc-libs-4.2.3-0.fc22.x86_64 samba-libs-4.2.3-0.fc22.x86_64 samba-python-4.2.3-0.fc22.x86_64 samba-winbind-4.2.3-0.fc22.x86_64 samba-winbind-clients-4.2.3-0.fc22.x86_64 samba-winbind-modules-4.2.3-0.fc22.x86_64 [root@server1 /]# systemctl status smb ● smb.service - Samba SMB Daemon Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled; vendor preset: disabled) Active: active (running) since Fri 2015-09-11 14:43:50 UTC; 23min ago Main PID: 31581 (smbd) Status: "smbd: ready to serve connections..." CGroup: /system.slice/smb.service └─31581 /usr/sbin/smbd Sep 11 14:49:40 server1.lx.example.com smbd[32207]: GSSAPI client step 1 Sep 11 14:49:40 server1.lx.example.com smbd[32207]: GSSAPI client step 2 Sep 11 14:50:03 server1.lx.example.com smbd[32235]: GSSAPI client step 1 Sep 11 14:50:03 server1.lx.example.com smbd[32235]: GSSAPI client step 1 Sep 11 14:50:03 server1.lx.example.com smbd[32235]: GSSAPI client step 1 Sep 11 14:50:03 server1.lx.example.com smbd[32235]: GSSAPI client step 2 Sep 11 14:54:46 server1.lx.example.com smbd[32276]: GSSAPI client step 1 Sep 11 14:54:46 server1.lx.example.com smbd[32276]: GSSAPI client step 1 Sep 11 14:54:46 server1.lx.example.com smbd[32276]: GSSAPI client step 1 Sep 11 14:54:46 server1.lx.example.com smbd[32276]: GSSAPI client step 2 [root@server1 /]# systemctl status nmb ● nmb.service - Samba NMB Daemon Loaded: loaded (/usr/lib/systemd/system/nmb.service; disabled; vendor preset: disabled) Active: active (running) since Fri 2015-09-11 14:49:56 UTC; 17min ago Main PID: 32220 (nmbd) Status: "nmbd: ready to serve connections..." CGroup: /system.slice/nmb.service └─32220 /usr/sbin/nmbd Sep 11 14:50:04 server1.lx.example.com nmbd[32220]: Sep 11 14:50:04 server1.lx.example.com nmbd[32220]: Samba server LAS01003007 is now a domain master browser for workgroup AXIEXAMPLE on subnet 192.168.1.10 Sep 11 14:50:04 server1.lx.example.com nmbd[32220]: Sep 11 14:50:04 server1.lx.example.com nmbd[32220]: ***** Sep 11 14:50:19 server1.lx.example.com nmbd[32220]: [2015/09/11 14:50:19.307616, 0] ../source3/nmbd/nmbd_become_lmb.c:397(become_local_master_stage2) Sep 11 14:50:19 server1.lx.example.com nmbd[32220]: ***** Sep 11 14:50:19 server1.lx.example.com nmbd[32220]: Sep 11 14:50:19 server1.lx.example.com nmbd[32220]: Samba name server LAS01003007 is now a local master browser for workgroup AXIMOSAIC451 on subnet 10.100.50.37 Sep 11 14:50:19 server1.lx.example.com nmbd[32220]: Sep 11 14:50:19 server1.lx.example.com nmbd[32220]: ***** [root@server1 /]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING pki-tomcatd Service: RUNNING smb Service: RUNNING winbind Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful [root@server1 ~]# ss -tnl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 50 *:139 *:* LISTEN 0 2 *:749 *:* LISTEN 0 100 *:8080 *:* LISTEN 0 5 *:464 *:* LISTEN 0 128 *:80 *:* LISTEN 0 10 192.168.1.10:53 *:* LISTEN 0 10 127.0.0.1:53 *:* LISTEN 0 128 *:22 *:* LISTEN 0 5 *:88 *:* LISTEN 0 128 127.0.0.1:953 *:* LISTEN 0 100 *:8443 *:* LISTEN 0 128 *:443 *:* LISTEN 0 50 *:445 *:* LISTEN 0 100 *:1024 *:* LISTEN 0 5 *:5666 *:* LISTEN 0 1 127.0.0.1:8005 *:* LISTEN 0 50 *:135 *:* LISTEN 0 100 127.0.0.1:8009 *:* LISTEN 0 50 :::139 :::* LISTEN 0 2 :::749 :::* LISTEN 0 5 :::464 :::* LISTEN 0 10 :::53 :::* LISTEN 0 128 :::22 :::* LISTEN 0 5 :::88 :::* LISTEN 0 128 :::636 :::* LISTEN 0 50 :::445 :::* LISTEN 0 100 :::1024 :::* LISTEN 0 5 :::5666 :::* LISTEN 0 128 :::9090 :::* LISTEN 0 128 :::389 :::* LISTEN 0 50 :::135 :::*
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
