Selinux is disabled on the server. However, I managed to fix the problem buy
adding the AD.DOMAIN {}
section to my krb5.conf in addition to IPA.DOMAIN {}. So it now looks like
[realms]IPA.DOMAIN{master_kdc=ipa.dc.ipadomain:portauth_kdc=ipa.dc.ipadomain:port...}
AD.DOMAIN{master_kdc=ad.dc.addomain:portauth_kdc=ad.dc.addomain:port...}
this had the desired effect although I am not 100 clear on why this worked.
My theory is that we have multiple domain controllers and of course the
addomain.com forward zone that was configured prior returns a full list. Only
the ports to the one ad.dc.addomain.com server have been opened between the ipa
and ad servers and so when trust command is executed connection goes to some
domain controller that IPA can't connect to, eventually generating an error.
Just a theory for now.
thanks
From: Alexander Bokovoy <[email protected]>
To: pgb205 <[email protected]>
Cc: "[email protected]" <[email protected]>; Freeipa-users
<[email protected]>
Sent: Friday, July 1, 2016 3:37 AM
Subject: Re: [Freeipa-users] ipa trust-fetch-domains failing.
On Thu, 30 Jun 2016, pgb205 wrote:
>Ben, do you mind sharing your solution as I am affected by the exact same
>error when fetching AD domains.
I'm currently on vacation and don't have access to my lab, but you need
to check if there are any problems with SELinux. 'ipa
trust-fetch-domains' calls out via DBus to another script. It is
functionally equivalent to the following command run as root:
# oddjob_request -s com.redhat.idm.trust -o / -i com.redhat.idm.trust
com.redhat.idm.trust.fetch_domains ad.test
where ad.test is your AD root domain.
If you add 'log level = 100' in /usr/share/ipa/smb.conf.empty, then this
run will generate a lot of debug information.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
