With FreeIPA 4.2, IPA replicas can serve AD users and groups without being able to set up or modifying trust properties. In case of AD trust agent, such IPA replica didn't have ipa-adtrust-install executed and no Samba instance is running.
'ipa trust-add' and other commands expect they are able to communicate with locally running Samba instance for setting up trust. If it is not running, we currently get exception that should be properly detected and instead a message should be shown to use different IPA master (where ipa-adtrust-install) was set up.
INFO: Current debug levels: all: 100 tdb: 100 printdrivers: 100 lanman: 100 smb: 100 rpc_parse: 100 rpc_srv: 100 rpc_cli: 100 passdb: 100 sam: 100 auth: 100 winbind: 100 vfs: 100 idmap: 100 quota: 100 acls: 100 locking: 100 msdfs: 100 dmapi: 100 registry: 100 scavenger: 100 dns: 100 ldb: 100 pm_process() returned Yes Using binding ncacn_np:m2.example.com[,print,smb2] s4_tevent: Added timed event "dcerpc_connect_timeout_handler": 0x7ffab403e600 s4_tevent: Added timed event "composite_trigger": 0x7ffab403edd0 s4_tevent: Added timed event "composite_trigger": 0x7ffab403f010 s4_tevent: Running timer event 0x7ffab403edd0 "composite_trigger" s4_tevent: Destroying timer event 0x7ffab403f010 "composite_trigger" Mapped to DCERPC endpoint \pipe\lsarpc added interface eth0 ip=192.168.122.107 bcast=192.168.122.255 netmask=255.255.255.0 added interface eth0 ip=192.168.122.107 bcast=192.168.122.255 netmask=255.255.255.0 resolve_lmhosts: Attempting lmhosts lookup for name m2.example.com<0x20> getlmhostsent: lmhost entry: 127.0.0.1 localhost s4_tevent: Added timed event "composite_trigger": 0x7ffab40409a0 s4_tevent: Ending timer event 0x7ffab403edd0 "composite_trigger" s4_tevent: Running timer event 0x7ffab40409a0 "composite_trigger" s4_tevent: Added timed event "connect_multi_timer": 0x7ffab4040c70 s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7ffab4041210 s4_tevent: Run immediate event "tevent_req_trigger": 0x7ffab4041210 s4_tevent: Destroying timer event 0x7ffab4040c70 "connect_multi_timer" Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 0 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_REUSEPORT = 0 SO_SNDBUF = 16384 SO_RCVBUF = 87380 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 TCP_DEFER_ACCEPT = 0 s4_tevent: Destroying timer event 0x7ffab403e600 "dcerpc_connect_timeout_handler" [Fri Jul 24 13:15:28.747820 2015] [wsgi:error] [pid 31306] ipa: INFO: [jsonserver_kerb] admin@EXAMPLE.COM: trust_add(u'adx.test', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', all=False, raw=False, version=u'2.147'): RemoteRetrieveError
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1250107
master:
ipa-4-2:
Metadata Update from @abbra: - Issue assigned to tbabej - Issue set to the milestone: FreeIPA 4.2.1
Login to comment on this ticket.