How to capture debug logs to troubleshoot IPA-AD trust issues.

Environment

• Red Hat Enterprise Linux 7, 8, 9, 10
• IPA/IdM
• Active Directory

Issue

• How to capture debug logs to troubleshoot IPA-AD trust issues.
• Enable debug logging to troubleshoot IPA-AD trust issues

Resolution

Once the prerequisites are met as per This content is not included.Basic Pre-check steps for configuring the IPA-AD Trust and the configuration appears to be correct, to debug this IPA trust related issue, the debug logs need to be collected as:

1. Stop smb and winbind services on IdM server

   systemctl stop smb winbind
   

2. Set log level to increased debug so that packets smbd/winbindd receive get printed fully in the logs:

   net conf setparm global 'log level' 100
   

3. Set log level to increased debug so that communication done by IPA when establishing trust is printed fully in the logs. Change /usr/share/ipa/smb.conf.empty:

    [global]
    log level = 100
   

4. Remove old /var/log/samba/log.* and Start smb and winbind services

   systemctl start smb winbind
   

5. Re-add trust

   ipa trust-add <forest roo> ...
   

6. If trust-add command was used with shared secret instead of explicit AD administrator credentials, after validation was performed from AD side, run

   ipa trust-fetch-domains <forest root>
   

7. Share the following logs with us, to analyze it further.

   /var/log/httpd/error_log
   /var/log/samba/log.*
   

Reference:
Above-mentioned steps to capture debug logs are discussed in the reference document below:

• Content from github.com is not included.ipa-ad-trust-healthcheck
• Content from www.freeipa.org is not included.Debugging_trust
• Content from www.freeipa.org is not included.How to disable IPv6

Root Cause

• Error messages from ipa group-add-member ad_admins_external or ipa trust-add can be generic, we would need to review debug logs to understand the actual issue.

  # ipa group-add-member ad_admins_external --external 'ADNETBIOS\DOMAIN ADMIN'
  [member user]: 
  [member group]: 
    Group name: ad_admins_external
    External member: S-1-5-21-660298659-878500314-2150610048-190089
    Failed members: 
      member user: 
      member group: ADNETBIOS\DOMAIN ADMIN: trusted domain object not found
  

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.