Centos7

FreeIPA 無法與 Active Directory 建立信任

  • May 10, 2019

我正在嘗試在 FreeIPA 和 Active Directory 之間建立信任。

基礎設施的詳細資訊:

  • 3 x IPA 伺服器都具有相互複製功能(CentOS 7)
  • 3 個用於 AD 的域控制器(Windows Server 2016)

嘗試執行以下命令時:

ipa trust-add --type=ad ad.example.net --admin admin --password --server=DC1.ad.example.net

它在日誌中產生以下錯誤。

[Thu May 09 14:32:36.771267 2019] [:error] [pid 26493] ipa: ERROR: When setting forest trust information, got collision info back:
[Thu May 09 14:32:36.771308 2019] [:error] [pid 26493]     lsa_ForestTrustCollisionInfo: struct lsa_ForestTrustCollisionInfo
[Thu May 09 14:32:36.771315 2019] [:error] [pid 26493]         count                    : 0x00000001 (1)
[Thu May 09 14:32:36.771321 2019] [:error] [pid 26493]         entries                  : *
[Thu May 09 14:32:36.771326 2019] [:error] [pid 26493]             entries: ARRAY(1)
[Thu May 09 14:32:36.771332 2019] [:error] [pid 26493]                 entries                  : *
[Thu May 09 14:32:36.771337 2019] [:error] [pid 26493]                     entries: struct lsa_ForestTrustCollisionRecord
[Thu May 09 14:32:36.771343 2019] [:error] [pid 26493]                         index                    : 0x00000000 (0)
[Thu May 09 14:32:36.771349 2019] [:error] [pid 26493]                         type                     : LSA_FOREST_TRUST_COLLISION_TDO (0)
[Thu May 09 14:32:36.771354 2019] [:error] [pid 26493]                         flags                    : 0x00000004 (4)
[Thu May 09 14:32:36.771360 2019] [:error] [pid 26493]                                0: LSA_TLN_DISABLED_NEW
[Thu May 09 14:32:36.771366 2019] [:error] [pid 26493]                                0: LSA_TLN_DISABLED_ADMIN
[Thu May 09 14:32:36.771382 2019] [:error] [pid 26493]                                1: LSA_TLN_DISABLED_CONFLICT
[Thu May 09 14:32:36.771388 2019] [:error] [pid 26493]                                0: LSA_SID_DISABLED_ADMIN
[Thu May 09 14:32:36.771394 2019] [:error] [pid 26493]                                0: LSA_SID_DISABLED_CONFLICT
[Thu May 09 14:32:36.771399 2019] [:error] [pid 26493]                                1: LSA_NB_DISABLED_ADMIN
[Thu May 09 14:32:36.771405 2019] [:error] [pid 26493]                                0: LSA_NB_DISABLED_CONFLICT
[Thu May 09 14:32:36.771410 2019] [:error] [pid 26493]                         name: struct lsa_String
[Thu May 09 14:32:36.771416 2019] [:error] [pid 26493]                             length                   : 0x0018 (24)
[Thu May 09 14:32:36.771422 2019] [:error] [pid 26493]                             size                     : 0x001a (26)
[Thu May 09 14:32:36.771427 2019] [:error] [pid 26493]                             string                   : *
[Thu May 09 14:32:36.771433 2019] [:error] [pid 26493]                                 string                   : 'ad.example.net'
[Thu May 09 14:32:36.771439 2019] [:error] [pid 26493]
[Thu May 09 14:32:36.771535 2019] [:error] [pid 26493] ipa: ERROR: Attempt to solve forest trust topology conflicts
[Thu May 09 14:32:36.778084 2019] [:error] [pid 26493] ipa: ERROR: non-public: NTSTATUSError: (3221225695, 'The specified domain did not exist.')
[Thu May 09 14:32:36.778103 2019] [:error] [pid 26493] Traceback (most recent call last):
[Thu May 09 14:32:36.778109 2019] [:error] [pid 26493]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 369, in wsgi_execute
[Thu May 09 14:32:36.778115 2019] [:error] [pid 26493]     result = command(*args, **options)
[Thu May 09 14:32:36.778121 2019] [:error] [pid 26493]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 450, in __call__
[Thu May 09 14:32:36.778126 2019] [:error] [pid 26493]     return self.__do_call(*args, **options)
[Thu May 09 14:32:36.778132 2019] [:error] [pid 26493]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 478, in __do_call
[Thu May 09 14:32:36.778138 2019] [:error] [pid 26493]     ret = self.run(*args, **options)
[Thu May 09 14:32:36.778143 2019] [:error] [pid 26493]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 800, in run
[Thu May 09 14:32:36.778164 2019] [:error] [pid 26493]     return self.execute(*args, **options)
[Thu May 09 14:32:36.778175 2019] [:error] [pid 26493]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 737, in execute
[Thu May 09 14:32:36.778181 2019] [:error] [pid 26493]     result = self.execute_ad(full_join, *keys, **options)
[Thu May 09 14:32:36.778187 2019] [:error] [pid 26493]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 992, in execute_ad
[Thu May 09 14:32:36.778193 2019] [:error] [pid 26493]     trust_type
[Thu May 09 14:32:36.778198 2019] [:error] [pid 26493]   File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1670, in join_ad_full_credentials
[Thu May 09 14:32:36.778204 2019] [:error] [pid 26493]     trust_type, trust_external)
[Thu May 09 14:32:36.778210 2019] [:error] [pid 26493]   File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1353, in establish_trust
[Thu May 09 14:32:36.778216 2019] [:error] [pid 26493]     self.update_ftinfo(another_domain)
[Thu May 09 14:32:36.778221 2019] [:error] [pid 26493]   File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1229, in update_ftinfo
[Thu May 09 14:32:36.778227 2019] [:error] [pid 26493]     self.clear_ftinfo_conflict(another_domain, cinfo)
[Thu May 09 14:32:36.778232 2019] [:error] [pid 26493]   File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1125, in clear_ftinfo_conflict
[Thu May 09 14:32:36.778238 2019] [:error] [pid 26493]     lsa.LSA_FOREST_TRUST_DOMAIN_INFO)
[Thu May 09 14:32:36.778244 2019] [:error] [pid 26493] NTSTATUSError: (3221225695, 'The specified domain did not exist.')
[Thu May 09 14:32:36.778604 2019] [:error] [pid 26493] ipa: INFO: [jsonserver_session] admin@example.com: trust_add/1(u'ad.example.net', trust_type=u'ad', realm_admin=u'admin', realm_passwd=u'********', realm_server=u'DC1.ad.example.net', version=u'2.230'): InternalError

現在據我所知,它說我給了它一個無效的域名……但是如果我執行:

systeminfo | findstr /B /C:"Domain"

在其中一台域註冊機器上,它返回:

Domain:                    ad.example.net

所以我知道我使用了正確的域名。

有沒有人能夠解釋為什麼這會失敗?

它基本上是說 IPA 域的名稱已經在 AD 森林拓撲中的某處使用,並且 Active Directory 域控制器拒絕將該名稱路由到 IPA。IPA 中的自動拓撲衝突解決程序中的程式碼沒有考慮由於 IPA 名稱在 AD 中用作 UPN 而引發此類衝突的情況。

您在 AD 中有 example.com 作為 UPN 嗎?如果是這樣,就沒有辦法讓這種信任發揮作用。在 AD DC 接受之前,您需要更改 IPA 域 (=realm)。或者從AD端刪除同名的UPN。

引用自:https://serverfault.com/questions/966565