FreeIPA Unable to establish trust with Active Directory

1

I am trying to establish a trust between FreeIPA and Active Directory.

Details on the infrastructure:

  • 3 x IPA Servers all with replication between eachother (CentOS 7)
  • 3 x Domain Controllers for AD (Windows Server 2016)

When attempting to run the following command:

ipa trust-add --type=ad ad.example.net --admin admin --password --server=DC1.ad.example.net

It is producing the following error in the logs.

[Thu May 09 14:32:36.771267 2019] [:error] [pid 26493] ipa: ERROR: When setting forest trust information, got collision info back:
[Thu May 09 14:32:36.771308 2019] [:error] [pid 26493]     lsa_ForestTrustCollisionInfo: struct lsa_ForestTrustCollisionInfo
[Thu May 09 14:32:36.771315 2019] [:error] [pid 26493]         count                    : 0x00000001 (1)
[Thu May 09 14:32:36.771321 2019] [:error] [pid 26493]         entries                  : *
[Thu May 09 14:32:36.771326 2019] [:error] [pid 26493]             entries: ARRAY(1)
[Thu May 09 14:32:36.771332 2019] [:error] [pid 26493]                 entries                  : *
[Thu May 09 14:32:36.771337 2019] [:error] [pid 26493]                     entries: struct lsa_ForestTrustCollisionRecord
[Thu May 09 14:32:36.771343 2019] [:error] [pid 26493]                         index                    : 0x00000000 (0)
[Thu May 09 14:32:36.771349 2019] [:error] [pid 26493]                         type                     : LSA_FOREST_TRUST_COLLISION_TDO (0)
[Thu May 09 14:32:36.771354 2019] [:error] [pid 26493]                         flags                    : 0x00000004 (4)
[Thu May 09 14:32:36.771360 2019] [:error] [pid 26493]                                0: LSA_TLN_DISABLED_NEW
[Thu May 09 14:32:36.771366 2019] [:error] [pid 26493]                                0: LSA_TLN_DISABLED_ADMIN
[Thu May 09 14:32:36.771382 2019] [:error] [pid 26493]                                1: LSA_TLN_DISABLED_CONFLICT
[Thu May 09 14:32:36.771388 2019] [:error] [pid 26493]                                0: LSA_SID_DISABLED_ADMIN
[Thu May 09 14:32:36.771394 2019] [:error] [pid 26493]                                0: LSA_SID_DISABLED_CONFLICT
[Thu May 09 14:32:36.771399 2019] [:error] [pid 26493]                                1: LSA_NB_DISABLED_ADMIN
[Thu May 09 14:32:36.771405 2019] [:error] [pid 26493]                                0: LSA_NB_DISABLED_CONFLICT
[Thu May 09 14:32:36.771410 2019] [:error] [pid 26493]                         name: struct lsa_String
[Thu May 09 14:32:36.771416 2019] [:error] [pid 26493]                             length                   : 0x0018 (24)
[Thu May 09 14:32:36.771422 2019] [:error] [pid 26493]                             size                     : 0x001a (26)
[Thu May 09 14:32:36.771427 2019] [:error] [pid 26493]                             string                   : *
[Thu May 09 14:32:36.771433 2019] [:error] [pid 26493]                                 string                   : 'ad.example.net'
[Thu May 09 14:32:36.771439 2019] [:error] [pid 26493]
[Thu May 09 14:32:36.771535 2019] [:error] [pid 26493] ipa: ERROR: Attempt to solve forest trust topology conflicts
[Thu May 09 14:32:36.778084 2019] [:error] [pid 26493] ipa: ERROR: non-public: NTSTATUSError: (3221225695, 'The specified domain did not exist.')
[Thu May 09 14:32:36.778103 2019] [:error] [pid 26493] Traceback (most recent call last):
[Thu May 09 14:32:36.778109 2019] [:error] [pid 26493]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 369, in wsgi_execute
[Thu May 09 14:32:36.778115 2019] [:error] [pid 26493]     result = command(*args, **options)
[Thu May 09 14:32:36.778121 2019] [:error] [pid 26493]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 450, in __call__
[Thu May 09 14:32:36.778126 2019] [:error] [pid 26493]     return self.__do_call(*args, **options)
[Thu May 09 14:32:36.778132 2019] [:error] [pid 26493]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 478, in __do_call
[Thu May 09 14:32:36.778138 2019] [:error] [pid 26493]     ret = self.run(*args, **options)
[Thu May 09 14:32:36.778143 2019] [:error] [pid 26493]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 800, in run
[Thu May 09 14:32:36.778164 2019] [:error] [pid 26493]     return self.execute(*args, **options)
[Thu May 09 14:32:36.778175 2019] [:error] [pid 26493]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 737, in execute
[Thu May 09 14:32:36.778181 2019] [:error] [pid 26493]     result = self.execute_ad(full_join, *keys, **options)
[Thu May 09 14:32:36.778187 2019] [:error] [pid 26493]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 992, in execute_ad
[Thu May 09 14:32:36.778193 2019] [:error] [pid 26493]     trust_type
[Thu May 09 14:32:36.778198 2019] [:error] [pid 26493]   File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1670, in join_ad_full_credentials
[Thu May 09 14:32:36.778204 2019] [:error] [pid 26493]     trust_type, trust_external)
[Thu May 09 14:32:36.778210 2019] [:error] [pid 26493]   File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1353, in establish_trust
[Thu May 09 14:32:36.778216 2019] [:error] [pid 26493]     self.update_ftinfo(another_domain)
[Thu May 09 14:32:36.778221 2019] [:error] [pid 26493]   File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1229, in update_ftinfo
[Thu May 09 14:32:36.778227 2019] [:error] [pid 26493]     self.clear_ftinfo_conflict(another_domain, cinfo)
[Thu May 09 14:32:36.778232 2019] [:error] [pid 26493]   File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1125, in clear_ftinfo_conflict
[Thu May 09 14:32:36.778238 2019] [:error] [pid 26493]     lsa.LSA_FOREST_TRUST_DOMAIN_INFO)
[Thu May 09 14:32:36.778244 2019] [:error] [pid 26493] NTSTATUSError: (3221225695, 'The specified domain did not exist.')
[Thu May 09 14:32:36.778604 2019] [:error] [pid 26493] ipa: INFO: [jsonserver_session] admin@example.com: trust_add/1(u'ad.example.net', trust_type=u'ad', realm_admin=u'admin', realm_passwd=u'********', realm_server=u'DC1.ad.example.net', version=u'2.230'): InternalError

Now from what I can tell it's saying that I've given it an invalid domain name... but if I run:

systeminfo | findstr /B /C:"Domain"

On one of the domain enrolled machines, it returns:

Domain:                    ad.example.net

So I know that I am using the right domain name.

Is anyone able to offer an explanation for why this is failing?

centos7
freeipa
asked on Server Fault May 9, 2019 by RedBullNinja

1 Answer

1

It is basically saying that name of IPA domain is used somewhere in AD forest topology already and Active Directory domain controllers refuse to route that one to IPA. The code in automatic topology conflict solver in IPA doesn't take into account a situation where such conflict raises due to IPA name being used as UPN in AD.

Do you have example.com as UPN in AD? If so, there is no way to make this trust working. You need to change IPA domain (=realm) before AD DCs will accept it. Or remove UPN of the same name from AD side.

answered on Server Fault May 10, 2019 by abbra

User contributions licensed under CC BY-SA 3.0