Stuck on FreeIPA creating AD domain trust

Issues related to applications and software problems
Post Reply
AveryFreeman
Posts: 2
Joined: 2019/12/30 13:52:29

Stuck on FreeIPA creating AD domain trust

Post by AveryFreeman » 2019/12/30 14:05:12

Hello

I have a pre-existing AD domain webtool.space

I'm trying to set up a subdomain ipa.webtool.space w/ ipa server ipa0.ipa.webtool.space (server is running Centos 8 Stream 1905)

All in same subnet 192.168.1.0/24

Following this wiki: https://www.freeipa.org/page/Active_Dir ... rust_setup

The end goal is to have the domain and subdomain machines able to talk to each other, but the *nix machines' identities managed by FreeIPA and the Windows machines identities managed by Active Directory.

Pertinent info from IPA server:

Code: Select all

# hostname
ipa0.ipa.webtool.space

# cat /etc/hosts
127.0.0.1   localhost
::1         localhost
192.168.1.36    ipa0.ipa.webtool.space

# dig SRV _ldap._tcp.ipa.webtool.space

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> SRV _ldap._tcp.ipa.webtool.space
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18082
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 6f3ab5c0dd0e32517be397f05e09bf14176cd1c5994f17f1 (good)
;; QUESTION SECTION:
;_ldap._tcp.ipa.webtool.space.  IN      SRV

;; ANSWER SECTION:
_ldap._tcp.ipa.webtool.space. 86400 IN  SRV     0 100 389 ipa0.ipa.webtool.space.

;; AUTHORITY SECTION:
ipa.webtool.space.      86400   IN      NS      ipa0.ipa.webtool.space.

;; ADDITIONAL SECTION:
ipa0.ipa.webtool.space. 1200    IN      A       192.168.1.36

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Dec 30 01:10:44 PST 2019
;; MSG SIZE  rcvd: 157

[root@ipa0 localuser]# dig SRV _ldap._tcp.webtool.space

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> SRV _ldap._tcp.webtool.space
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 45837
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 300b21a1f6624f1afc362e105e09bf22e93c6fc84b217e50 (good)
;; QUESTION SECTION:
;_ldap._tcp.webtool.space.      IN      SRV

;; AUTHORITY SECTION:
webtool.space.          3193    IN      SOA     dns1.registrar-servers.com. hostmaster.registrar-servers.com. 1575960388 3600 1801 604800 3601

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Dec 30 01:10:58 PST 2019
;; MSG SIZE  rcvd: 154

# ip addr
1: loopback [truncated]
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:b7:40:70 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.36/24 brd 192.168.1.255 scope global noprefixroute ens160
       valid_lft forever preferred_lft forever
    inet6 2601:603:4d00:370:250:56ff:feb7:4070/64 scope global dynamic mngtmpaddr
       valid_lft 86391sec preferred_lft 14391sec
    inet6 fe80::250:56ff:feb7:4070/64 scope link
       valid_lft forever preferred_lft forever
and from Windows 2012R2 RFC2307 Domain Controller:

Code: Select all

C:\Windows\System32>nslookup
Default Server:  localhost
Address:  127.0.0.1

> set type=srv
> _ldap._tcp.webtool.space
Server:  localhost
Address:  127.0.0.1

_ldap._tcp.webtool.space        SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = 2012dc01.webtool.space
_ldap._tcp.webtool.space        SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = 2012dc02.webtool.space
2012dc01.webtool.space  internet address = 192.168.1.2
2012dc01.webtool.space  AAAA IPv6 address = 2601:603:4d00:370:c90b:dfb8:f366:82b
d
2012dc02.webtool.space  internet address = 192.168.1.3
2012dc02.webtool.space  AAAA IPv6 address = 2601:603:4d00:370:74b3:9689:c8a8:21a
b
> _ldap._tcp.ipa.webtool.space
Server:  localhost
Address:  127.0.0.1

Non-authoritative answer:
_ldap._tcp.ipa.webtool.space    SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = ipa0.ipa.webtool.space

ipa0.ipa.webtool.space  internet address = 192.168.1.36
> quit

C:\Windows\System32>
So all that looks good. I did get:

Code: Select all

C:\Windows\System32>dnscmd 127.0.0.1 /ZoneAdd ipa.webtool.space /Forwarder 192.168.1.36

Command failed:  DNS_ERROR_ZONE_CONFIGURATION_ERROR     9604    0x2584
So I set up a stub zone with ipa.webtool.space using the GUI DNS util (e.g. mmc dns snap-in, RSAT tool, etc.) - which seemed like what I was trying to do from the command line in that last codeblock.

This is the first time I've ever tried anything like this. I think I'm missing the part where ipa0.ipa.webtool.space is set as a forwarder. Does anyone have any ideas?

Thanks :D

Post Reply

Return to “CentOS 7 - Software Support”