Red Hat SummitCe contenu n'est pas disponible dans la langue sélectionnée.
Chapter 10. Troubleshooting setting up a cross-forest trust
Learn more about troubleshooting the process of configuring a cross-forest trust between your Identity Management (IdM) environment and an Active Directory (AD) forest.
10.1. Sequence of events when establishing a cross-forest trust with AD
When you use the ipa trust-add command to establish a cross-forest trust with an Active Directory (AD) Domain Controller (DC), the command operates on behalf of the user who ran the command and performs the following actions on the IdM server. If you have trouble establishing a cross-forest trust, you can use this list to help narrow down and troubleshoot your issue.
Part 1: The command verifies settings and inputs
- Verify that the IdM server has the Trust Controller role.
-
Validate the options passed to the
ipa trust-addcommand. -
Validate the ID range associated with a trusted forest root domain. If you did not specify the ID range type and properties as options to the
ipa trust-addcommand, they are discovered from Active Directory.
Part 2: The command attempts to establish a trust to an Active Directory domain
- Create a separate trust object for each trust direction. Each of the objects get created on both sides (IdM and AD). If you are establishing a one-way trust, only one object is created on each side.
The IdM server uses the Samba suite to handle domain controller capabilities for Active Directory and creates a trust object on the target AD PDC:
-
The IdM server establishes a secure connection to the
IPC$share on the target DC. Since RHEL 8.4, the connection requires at least the SMB3 protocol with Windows Server 2012 and above to ensure the connection is sufficiently secure with AES-based encryption used for the session. -
The IdM server queries for the presence of the trusted domain object (TDO) using an
LSA QueryTrustedDomainInfoByNamecall. If the TDO is already present, remove it with an
LSA DeleteTrustedDomaincall.NoteThis call fails if the AD user account used to establish the trust does not have full Enterprise Admin (EA) or Domain Admin (DA) privileges for the forest root, such as members of the Incoming Forest Trust Builders group. If the old TDO is not automatically removed, an AD Administrator must manually remove it from AD.
-
The IdM server creates a new TDO with an
LSA CreateTrustedDomainEx2call. The TDO credentials are randomly generated using a Samba-provided password generator with 128 random characters. The new TDO is then modified with an
LSA SetInformationTrustedDomaincall to make sure encryption types supported by the trust are set properly:-
The
RC4_HMAC_MD5encryption type is enabled, even if there are no RC4 keys in use, due to how Active Directory is designed. AES128_CTS_HMAC_SHA1_96andAES256_CTS_HMAC_SHA1_96encryption types are enabled.NoteIf you use Kerberos PKINIT (certificate or smart card-based authentication) to interoperate with Windows Server 2022 or older, you must enable the
SHA1system-wide cryptographic subpolicy to allow SHA-1 signatures:+
update-crypto-policies --set DEFAULT:SHA1
# update-crypto-policies --set DEFAULT:SHA1Copy to Clipboard Copied! Toggle word wrap Toggle overflow
-
The
-
The IdM server establishes a secure connection to the
-
For a forest trust, verify that in-forest domains can be reached transitively with an
LSA SetInformationTrustedDomaincall. Add trust topology information about the other forest (IdM in the case of communicating with AD, AD in the case of communicating with IdM) using an
LSA RSetForestTrustInformationcall.NoteThis step might cause a conflict for one of three reasons:
-
A SID namespace conflict, reported as an
LSA_SID_DISABLED_CONFLICTerror. This conflict cannot be resolved. -
A NetBIOS namespace conflict, reported as an
LSA_NB_DISABLED_CONFLICTerror. This conflict cannot be resolved. -
A DNS namespace conflict with a top level name (TLN), reported as an
LSA_TLN_DISABLED_CONFLICTerror. The IdM server can automatically resolve a TLN conflict if it is caused by another forest.
To resolve a TLN conflict, the IdM server performs the following steps:
- Retrieve forest trust information for the conflicting forest.
- Add an exclusion entry for the IdM DNS namespace to the AD forest.
- Set forest trust information for the forest we conflict on.
- Re-try establishing the trust to the original forest.
The IdM server can only resolve these conflicts if you authenticated the
ipa trust-addcommand with the privileges of an AD administrator that can change forest trusts. If you do not have access to those privileges, the administrator of the original forest must manually perform the steps above in the Active Directory Domains and Trusts section of the Windows UI.-
A SID namespace conflict, reported as an
- If it does not exist, create the ID range for the trusted domain.
- For a forest trust, query Active Directory domain controllers from the forest root for details about the forest topology. The IdM server uses this information to create additional ID ranges for any additional domains from the trusted forest.
10.2. Checklist of prerequisites for establishing an AD trust
You can use the following checklist to review the prerequisites for creating a trust with an AD domain.
| Component | Configuration | Additional details |
|---|---|---|
| Product versions | Your Active Directory domain is using a supported version of Windows Server. | |
| AD Administrator privileges | The Active Directory administration account must be a member of one of the following groups:
| |
| Networking | IPv6 support is enabled in the Linux kernel for all IdM servers. | |
| Date and time | Verify the date and time settings on both servers match. | |
| Encryption types | The following AD accounts have AES encryption keys:
If you have recently enabled AES encryption in AD, generate new AES keys with the following steps:
| |
| Firewall | You have opened all necessary ports on IdM servers and AD Domain Controllers for bidirectional communication. | |
| DNS |
| |
| Topology | Ensure you are attempting to establish a trust with an IdM server you have configured as a trust controller. |
10.3. Gathering debug logs of an attempt to establish an AD trust
If you are experiencing issues with establishing a trust between an IdM environment and AD domain, use the following steps to enable detailed error logging so you can gather logs of an attempt to establish a trust. You can review these logs to help with your troubleshooting efforts, or you can provide them in a Red Hat Technical Support case.
Prerequisites
- You need root permissions to restart IdM services.
Procedure
To enable debugging for the IdM server, create the file
/etc/ipa/server.confwith the following contents.[global] debug=True
[global] debug=TrueCopy to Clipboard Copied! Toggle word wrap Toggle overflow Restart the
httpdservice to load the debugging configuration.systemctl restart httpd
[root@trust_controller ~]# systemctl restart httpdCopy to Clipboard Copied! Toggle word wrap Toggle overflow Stop the
smbandwinbindservices.systemctl stop smb winbind
[root@trust_controller ~]# systemctl stop smb winbindCopy to Clipboard Copied! Toggle word wrap Toggle overflow Set the debugging log level for the
smbandwinbindservices.net conf setparm global 'log level' 100
[root@trust_controller ~]# net conf setparm global 'log level' 100Copy to Clipboard Copied! Toggle word wrap Toggle overflow To enable debug logging for Samba client code used by the IdM framework, edit the
/usr/share/ipa/smb.conf.emptyconfiguration file to have the following contents.[global] log level = 100[global] log level = 100Copy to Clipboard Copied! Toggle word wrap Toggle overflow Remove previous Samba logs.
rm /var/log/samba/log.*
[root@trust_controller ~]# rm /var/log/samba/log.*Copy to Clipboard Copied! Toggle word wrap Toggle overflow Start the
smbandwinbindservices.systemctl start smb winbind
[root@trust_controller ~]# systemctl start smb winbindCopy to Clipboard Copied! Toggle word wrap Toggle overflow Print a timestamp as you attempt to establish a trust with verbose mode enabled.
date; ipa -vvv trust-add --type=ad ad.example.com
[root@trust_controller ~]# date; ipa -vvv trust-add --type=ad ad.example.comCopy to Clipboard Copied! Toggle word wrap Toggle overflow Review the following error log files for information about the failed request:
-
/var/log/httpd/error_log -
/var/log/samba/log.*
-
Disable debugging.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Optional: If you are unable to determine the cause of the authentication issue:
Collect and archive the log files you recently generated.
tar -cvf debugging-trust.tar /var/log/httpd/error_log /var/log/samba/log.*
[root@trust_controller ~]# tar -cvf debugging-trust.tar /var/log/httpd/error_log /var/log/samba/log.*Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Open a Red Hat Technical Support case and provide the timestamp and debug logs from the attempt.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}