On Tue, 2012-03-13 at 13:26 +0200, Alexander Bokovoy wrote: > Hi, > > at > http://fedorapeople.org/gitweb?p=abbra/public_git/freeipa.git;a=shortlog;h=refs/heads/adwork > > one can find current state of AD trusts work. > > This tree introduces 'ipa trust-*' family of commands and > freeipa-server-trust-ad package to pull-in additional dependencies > after install in order to make 'ipa trust-add-ad' working. > > You'll need samba4-4.0.0-102alpha18 from ipa-devel repository to get > trusts working. There are dragons, however, so beware of possible > issues: > > 1. Make sure you have set up properly domain forwarder to your Active > Directory DNS server so that SRV records resolving would work from IPA > server side. > > One can do it with a simple configuration in BIND, for example: > zone "ad.local" { > type forward; > forward only; > forwarders { 192.168.111.207; }; > check-names ignore; > }; > > You'd need to do the same on Windows side as well. > > 2. samba4 4.0.0-102alpha18 has one minor bug in systemd service > (https://fedorahosted.org/freeipa/ticket/2523), you'd need to add > > ExecStartPre=/bin/mkdir -p /run/samba > > before ExecStart= stanza to get it working with tmpfs-based /run in > Fedora 17.
This is wrong. Please add a file in /etc/tmpfiles.d/samba.conf Contents should be: d /var/run/samba 644 root root (adjust permission and ownership accordingly). This file needs to be added to the samba4 package (and the samba3 package as well ?) > 3. Once everything is ready, one needs to run ipa-adtrust-install to > set up our domain and Samba configuration. > > ipa-adtrust-install > > Answer its questions (defaults are fine) and after it has finished, > there should be smbd processes running. > > 4. kinit again to re-generate your ticket with MS PAC included. > > 5. There is issue in MIT kerberos related to s4u2proxy handling of MS > PAC data when comparing the principals. This issue essentially forbids > using s4u2proxy functionality with IPA as soon as kerberos ticket > contains MS PAC. To get around, one need to always specify --delegate > option to 'ipa' command. > > 6. Run > > ipa trust-add-ad <domain for trust> --admin <Administrator> --password > > 'ipa trust-add-ad' will ask you for trusted domain's administrator's > password and then will do discovery of domain controller using SRV > records in trusted domain DNS, set up remote half of the trust and > later will attempt to setup local part of the trust. > > > Here is example of use: > # ipa --delegate trust-add-ad ad.local --admin Administrator --password > Password of the realm's administrator: > ------------------------------------------------- > Added Active Directory trust for realm "ad.local" > ------------------------------------------------- > # ipa --delegate trust-show ad.local > Realm name: ad.local > Domain NetBIOS name: AD > Trust direction: Both directions > Trust type: Cross-Forest > > > -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel