trust-add failed with different internal errors when I ran it in my misconfigured environment (missing DNS records, etc.):
ipa: ERROR: LDAP error when connecting to MKDC2012: {'desc': "Can't contact LDAP server"} ipa: ERROR: non-public: KeyError: 'sid' Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 333, in wsgi_execute result = self.Command[name](*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 436, in __call__ ret = self.run(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 755, in run result = self.execute(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line 441, in execute old_range, range_name, dom_sid = self.validate_range(*keys, **options) File "/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line 607, in validate_range dom_sid = self.trustinstance.remote_domain.info['sid'] KeyError: 'sid' ipa: INFO: admin@IDM.LAB.ENG.BRQ.REDHAT.COM: trust_add(u'MKAD2012', trust_type=u'ad', all=False, raw=False, version=u'2.65'): KeyError ipa: ERROR: LDAP error when connecting to MKDC2012: {'desc': "Can't contact LDAP server"} ipa: ERROR: non-public: KeyError: 'dns_hostname' Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 333, in wsgi_execute result = self.Command[name](*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 436, in __call__ ret = self.run(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 755, in run result = self.execute(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line 441, in execute old_range, range_name, dom_sid = self.validate_range(*keys, **options) File "/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line 605, in validate_range self.realm_passwd File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1100, in populate_remote_domain td.retrieve(rd.info['dns_hostname']) KeyError: 'dns_hostname' ipa: INFO: admin@IDM.LAB.ENG.BRQ.REDHAT.COM: trust_add(u'MKAD2012', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', all=False, raw=False, version=u'2.65'): KeyError ipa: ERROR: non-public: AttributeError: 'lsa.ForestTrustCollisionInfo' object has no attribute '__ndr_print__' Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 333, in wsgi_execute result = self.Command[name](*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 436, in __call__ ret = self.run(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 755, in run result = self.execute(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line 442, in execute result = self.execute_ad(full_join, *keys, **options) File "/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line 656, in execute_ad self.realm_passwd File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1152, in join_ad_full_credentials self.remote_domain.establish_trust(self.local_domain, trustdom_pass) File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 920, in establish_trust self.update_ftinfo(another_domain) File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 878, in update_ftinfo root_logger.error("When setting forest trust information, got collision info back:\\n%s" % (ndr_print(collision_info))) File "/usr/lib64/python2.7/site-packages/samba/ndr.py", line 50, in ndr_print return object.__ndr_print__() AttributeError: 'lsa.ForestTrustCollisionInfo' object has no attribute '__ndr_print__' ipa: INFO: admin@IDM.LAB.ENG.BRQ.REDHAT.COM: trust_add(u'MKAD2012', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', all=False, raw=False, version=u'2.65'): AttributeError
It would be nice if an error explaning what went wrong was reported instead.
FreeIPA 4.1.1 was released.
4.1.2 was released.
4.1.3 was released.
4.1.4 was released, moving to new milestone
Moving tickets as per freeipa-devel message.
This is rather generic issue and it seems it is no longer applicable.
AD unable to reach IPA:
$ ipa trust-add --type=ad ad.test --range-type ipa-ad-trust --admin Administrator --password --two-way TRUE Active Directory domain administrator's password: ipa: ERROR: AD DC was unable to reach any IPA domain controller. Most likely it is a DNS or firewall issue
IPA unable to reach AD:
$ ipa trust-add --type=ad ad.test --range-type ipa-ad-trust --admin Administrator --password Active Directory domain administrator's password: ipa: ERROR: Cannot find specified domain or server name
Closing as works for me, please create separate tickets with reproduction steps if any internal errors are encountered.
Metadata Update from @jcholast: - Issue assigned to tbabej - Issue set to the milestone: FreeIPA 4.2.1
Login to comment on this ticket.