Centos7
FreeIPA 無法與 Active Directory 建立信任
我正在嘗試在 FreeIPA 和 Active Directory 之間建立信任。
基礎設施的詳細資訊:
- 3 x IPA 伺服器都具有相互複製功能(CentOS 7)
- 3 個用於 AD 的域控制器(Windows Server 2016)
嘗試執行以下命令時:
ipa trust-add --type=ad ad.example.net --admin admin --password --server=DC1.ad.example.net
它在日誌中產生以下錯誤。
[Thu May 09 14:32:36.771267 2019] [:error] [pid 26493] ipa: ERROR: When setting forest trust information, got collision info back: [Thu May 09 14:32:36.771308 2019] [:error] [pid 26493] lsa_ForestTrustCollisionInfo: struct lsa_ForestTrustCollisionInfo [Thu May 09 14:32:36.771315 2019] [:error] [pid 26493] count : 0x00000001 (1) [Thu May 09 14:32:36.771321 2019] [:error] [pid 26493] entries : * [Thu May 09 14:32:36.771326 2019] [:error] [pid 26493] entries: ARRAY(1) [Thu May 09 14:32:36.771332 2019] [:error] [pid 26493] entries : * [Thu May 09 14:32:36.771337 2019] [:error] [pid 26493] entries: struct lsa_ForestTrustCollisionRecord [Thu May 09 14:32:36.771343 2019] [:error] [pid 26493] index : 0x00000000 (0) [Thu May 09 14:32:36.771349 2019] [:error] [pid 26493] type : LSA_FOREST_TRUST_COLLISION_TDO (0) [Thu May 09 14:32:36.771354 2019] [:error] [pid 26493] flags : 0x00000004 (4) [Thu May 09 14:32:36.771360 2019] [:error] [pid 26493] 0: LSA_TLN_DISABLED_NEW [Thu May 09 14:32:36.771366 2019] [:error] [pid 26493] 0: LSA_TLN_DISABLED_ADMIN [Thu May 09 14:32:36.771382 2019] [:error] [pid 26493] 1: LSA_TLN_DISABLED_CONFLICT [Thu May 09 14:32:36.771388 2019] [:error] [pid 26493] 0: LSA_SID_DISABLED_ADMIN [Thu May 09 14:32:36.771394 2019] [:error] [pid 26493] 0: LSA_SID_DISABLED_CONFLICT [Thu May 09 14:32:36.771399 2019] [:error] [pid 26493] 1: LSA_NB_DISABLED_ADMIN [Thu May 09 14:32:36.771405 2019] [:error] [pid 26493] 0: LSA_NB_DISABLED_CONFLICT [Thu May 09 14:32:36.771410 2019] [:error] [pid 26493] name: struct lsa_String [Thu May 09 14:32:36.771416 2019] [:error] [pid 26493] length : 0x0018 (24) [Thu May 09 14:32:36.771422 2019] [:error] [pid 26493] size : 0x001a (26) [Thu May 09 14:32:36.771427 2019] [:error] [pid 26493] string : * [Thu May 09 14:32:36.771433 2019] [:error] [pid 26493] string : 'ad.example.net' [Thu May 09 14:32:36.771439 2019] [:error] [pid 26493] [Thu May 09 14:32:36.771535 2019] [:error] [pid 26493] ipa: ERROR: Attempt to solve forest trust topology conflicts [Thu May 09 14:32:36.778084 2019] [:error] [pid 26493] ipa: ERROR: non-public: NTSTATUSError: (3221225695, 'The specified domain did not exist.') [Thu May 09 14:32:36.778103 2019] [:error] [pid 26493] Traceback (most recent call last): [Thu May 09 14:32:36.778109 2019] [:error] [pid 26493] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 369, in wsgi_execute [Thu May 09 14:32:36.778115 2019] [:error] [pid 26493] result = command(*args, **options) [Thu May 09 14:32:36.778121 2019] [:error] [pid 26493] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 450, in __call__ [Thu May 09 14:32:36.778126 2019] [:error] [pid 26493] return self.__do_call(*args, **options) [Thu May 09 14:32:36.778132 2019] [:error] [pid 26493] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 478, in __do_call [Thu May 09 14:32:36.778138 2019] [:error] [pid 26493] ret = self.run(*args, **options) [Thu May 09 14:32:36.778143 2019] [:error] [pid 26493] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 800, in run [Thu May 09 14:32:36.778164 2019] [:error] [pid 26493] return self.execute(*args, **options) [Thu May 09 14:32:36.778175 2019] [:error] [pid 26493] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 737, in execute [Thu May 09 14:32:36.778181 2019] [:error] [pid 26493] result = self.execute_ad(full_join, *keys, **options) [Thu May 09 14:32:36.778187 2019] [:error] [pid 26493] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 992, in execute_ad [Thu May 09 14:32:36.778193 2019] [:error] [pid 26493] trust_type [Thu May 09 14:32:36.778198 2019] [:error] [pid 26493] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1670, in join_ad_full_credentials [Thu May 09 14:32:36.778204 2019] [:error] [pid 26493] trust_type, trust_external) [Thu May 09 14:32:36.778210 2019] [:error] [pid 26493] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1353, in establish_trust [Thu May 09 14:32:36.778216 2019] [:error] [pid 26493] self.update_ftinfo(another_domain) [Thu May 09 14:32:36.778221 2019] [:error] [pid 26493] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1229, in update_ftinfo [Thu May 09 14:32:36.778227 2019] [:error] [pid 26493] self.clear_ftinfo_conflict(another_domain, cinfo) [Thu May 09 14:32:36.778232 2019] [:error] [pid 26493] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1125, in clear_ftinfo_conflict [Thu May 09 14:32:36.778238 2019] [:error] [pid 26493] lsa.LSA_FOREST_TRUST_DOMAIN_INFO) [Thu May 09 14:32:36.778244 2019] [:error] [pid 26493] NTSTATUSError: (3221225695, 'The specified domain did not exist.') [Thu May 09 14:32:36.778604 2019] [:error] [pid 26493] ipa: INFO: [jsonserver_session] admin@example.com: trust_add/1(u'ad.example.net', trust_type=u'ad', realm_admin=u'admin', realm_passwd=u'********', realm_server=u'DC1.ad.example.net', version=u'2.230'): InternalError
現在據我所知,它說我給了它一個無效的域名……但是如果我執行:
systeminfo | findstr /B /C:"Domain"
在其中一台域註冊機器上,它返回:
Domain: ad.example.net
所以我知道我使用了正確的域名。
有沒有人能夠解釋為什麼這會失敗?
它基本上是說 IPA 域的名稱已經在 AD 森林拓撲中的某處使用,並且 Active Directory 域控制器拒絕將該名稱路由到 IPA。IPA 中的自動拓撲衝突解決程序中的程式碼沒有考慮由於 IPA 名稱在 AD 中用作 UPN 而引發此類衝突的情況。
您在 AD 中有 example.com 作為 UPN 嗎?如果是這樣,就沒有辦法讓這種信任發揮作用。在 AD DC 接受之前,您需要更改 IPA 域 (=realm)。或者從AD端刪除同名的UPN。