Error after adding trust

[gardart]

error on server 'ipa.idm.ad.test': Fetching domains from trusted forest failed. See details in the error_log

[gardart]

tail -f /var/log/httpd/error_log

[Mon Apr 12 20:49:10.915912 2021] [:warn] [pid 1787:tid 139643001497344] [client 192.168.68.1:51577] failed to set perms (3140) on file (/run/ipa/ccaches/admin@IDM.AD.TEST)!, referer: https://ipa.idm.ad.test/ipa/ui/ [Mon Apr 12 20:49:17.752677 2021] [wsgi:error] [pid 1782:tid 139643020248832] [remote 192.168.68.1:51577] ipa: ERROR: Helper fetch_domains was called for forest ad.test, return code is 1 [Mon Apr 12 20:49:17.753724 2021] [wsgi:error] [pid 1782:tid 139643020248832] [remote 192.168.68.1:51577] ipa: ERROR: Standard output from the helper: [Mon Apr 12 20:49:17.753741 2021] [wsgi:error] [pid 1782:tid 139643020248832] [remote 192.168.68.1:51577] --- [Mon Apr 12 20:49:17.753750 2021] [wsgi:error] [pid 1782:tid 139643020248832] [remote 192.168.68.1:51577] [Mon Apr 12 20:49:17.753825 2021] [wsgi:error] [pid 1782:tid 139643020248832] [remote 192.168.68.1:51577] ipa: ERROR: Error output from the helper: [Mon Apr 12 20:49:17.753833 2021] [wsgi:error] [pid 1782:tid 139643020248832] [remote 192.168.68.1:51577] Traceback (most recent call last): [Mon Apr 12 20:49:17.753838 2021] [wsgi:error] [pid 1782:tid 139643020248832] [remote 192.168.68.1:51577] File "/usr/libexec/ipa/oddjob/com.redhat.idm.trust-fetch-domains", line 274, in

[Mon Apr 12 20:49:17.753845 2021] [wsgi:error] [pid 1782:tid 139643020248832] [remote 192.168.68.1:51577] config=cfg, [Mon Apr 12 20:49:17.753850 2021] [wsgi:error] [pid 1782:tid 139643020248832] [remote 192.168.68.1:51577] File "/usr/lib/python3.6/site-packages/ipalib/install/kinit.py", line 47, in kinit_keytab [Mon Apr 12 20:49:17.753857 2021] [wsgi:error] [pid 1782:tid 139643020248832] [remote 192.168.68.1:51577] cred = gssapi.Credentials(name=name, store=store, usage='initiate') [Mon Apr 12 20:49:17.753863 2021] [wsgi:error] [pid 1782:tid 139643020248832] [remote 192.168.68.1:51577] File "/usr/lib64/python3.6/site-packages/gssapi/creds.py", line 64, in __new__ [Mon Apr 12 20:49:17.753870 2021] [wsgi:error] [pid 1782:tid 139643020248832] [remote 192.168.68.1:51577] store=store) [Mon Apr 12 20:49:17.753875 2021] [wsgi:error] [pid 1782:tid 139643020248832] [remote 192.168.68.1:51577] File "/usr/lib64/python3.6/site-packages/gssapi/creds.py", line 148, in acquire [Mon Apr 12 20:49:17.753881 2021] [wsgi:error] [pid 1782:tid 139643020248832] [remote 192.168.68.1:51577] usage) [Mon Apr 12 20:49:17.753887 2021] [wsgi:error] [pid 1782:tid 139643020248832] [remote 192.168.68.1:51577] File "gssapi/raw/ext_cred_store.pyx", line 182, in gssapi.raw.ext_cred_store.acquire_cred_from [Mon Apr 12 20:49:17.753894 2021] [wsgi:error] [pid 1782:tid 139643020248832] [remote 192.168.68.1:51577] gssapi.raw.misc.GSSError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529638918): Client 'IDM$@AD.TEST' not found in Kerberos database [Mon Apr 12 20:49:17.753910 2021] [wsgi:error] [pid 1782:tid 139643020248832] [remote 192.168.68.1:51577] [Mon Apr 12 20:49:17.753915 2021] [wsgi:error] [pid 1782:tid 139643020248832] [remote 192.168.68.1:51577] During handling of the above exception, another exception occurred: [Mon Apr 12 20:49:17.753921 2021] [wsgi:error] [pid 1782:tid 139643020248832] [remote 192.168.68.1:51577] [Mon Apr 12 20:49:17.753926 2021] [wsgi:error] [pid 1782:tid 139643020248832] [remote 192.168.68.1:51577] Traceback (most recent call last): [Mon Apr 12 20:49:17.753932 2021] [wsgi:error] [pid 1782:tid 139643020248832] [remote 192.168.68.1:51577] File "/usr/libexec/ipa/oddjob/com.redhat.idm.trust-fetch-domains", line 285, in [Mon Apr 12 20:49:17.753939 2021] [wsgi:error] [pid 1782:tid 139643020248832] [remote 192.168.68.1:51577] config=cfg, [Mon Apr 12 20:49:17.753944 2021] [wsgi:error] [pid 1782:tid 139643020248832] [remote 192.168.68.1:51577] File "/usr/lib/python3.6/site-packages/ipalib/install/kinit.py", line 47, in kinit_keytab [Mon Apr 12 20:49:17.753951 2021] [wsgi:error] [pid 1782:tid 139643020248832] [remote 192.168.68.1:51577] cred = gssapi.Credentials(name=name, store=store, usage='initiate') [Mon Apr 12 20:49:17.753957 2021] [wsgi:error] [pid 1782:tid 139643020248832] [remote 192.168.68.1:51577] File "/usr/lib64/python3.6/site-packages/gssapi/creds.py", line 64, in __new__ [Mon Apr 12 20:49:17.753963 2021] [wsgi:error] [pid 1782:tid 139643020248832] [remote 192.168.68.1:51577] store=store) [Mon Apr 12 20:49:17.753969 2021] [wsgi:error] [pid 1782:tid 139643020248832] [remote 192.168.68.1:51577] File "/usr/lib64/python3.6/site-packages/gssapi/creds.py", line 148, in acquire [Mon Apr 12 20:49:17.753975 2021] [wsgi:error] [pid 1782:tid 139643020248832] [remote 192.168.68.1:51577] usage) [Mon Apr 12 20:49:17.753980 2021] [wsgi:error] [pid 1782:tid 139643020248832] [remote 192.168.68.1:51577] File "gssapi/raw/ext_cred_store.pyx", line 182, in gssapi.raw.ext_cred_store.acquire_cred_from [Mon Apr 12 20:49:17.753987 2021] [wsgi:error] [pid 1782:tid 139643020248832] [remote 192.168.68.1:51577] gssapi.raw.misc.GSSError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529638918): Client 'IDM$@AD.TEST' not found in Kerberos database [Mon Apr 12 20:49:17.753995 2021] [wsgi:error] [pid 1782:tid 139643020248832] [remote 192.168.68.1:51577] -- [Mon Apr 12 20:49:17.754004 2021] [wsgi:error] [pid 1782:tid 139643020248832] [remote 192.168.68.1:51577] [Mon Apr 12 20:49:17.754248 2021] [wsgi:error] [pid 1782:tid 139643020248832] [remote 192.168.68.1:51577] ipa: INFO: [jsonserver_session] admin@IDM.AD.TEST: trust_fetch_domains('ad.test', version='2.239'): ServerCommandError ^C

[gardart]

Before doing this it is suggested that the SSSD service be stopped.

systemctl stop sssd

After this we want to delete all files within the /var/lib/sss/db/ directory.

rm -rf /var/lib/sss/db/*

Once complete we can start SSSD back up again.

systemctl restart sssd

SSSD should now start up correctly with an empty cache, any user login will now first go directly to the defined identity provider for authentication, and then be cached locally afterwards.

[gardart]

DNS settings fixed this problem