On 03/12/2014 04:56 PM, Alexander Bokovoy wrote: > Hi, > > Trusted domain SID could be obtained through different means. When it is > fetched from the AD DC via LDAP, it needs to be extracted from a default > context and explicitly converted to unicode. > > https://fedorahosted.org/freeipa/ticket/4246
This only works for ADs without subdomains. When there are subdomains, AD does not allow us to retrieve them and command fails right after creating the truyst trust object: # echo Secret123 | ipa trust-add tbad.example.com --trust-secretipa: ERROR: AD domain controller complains about communication sequence. It may mean unsynchronized time on both sides, for example # ipa trust-fetch-domains tbad.example.com ipa: ERROR: AD domain controller complains about communication sequence. It may mean unsynchronized time on both sides, for example When I refreshed FreeIPA domains on AD said, it started working again: # ipa trust-fetch-domains tbad.example.com -------------------------------------------- List of trust domains successfully refreshed -------------------------------------------- Realm name: child.tbad.example.com Domain NetBIOS name: CHILD Domain Security Identifier: S-1-5-21-972585150-1048339146-1910910075 ---------------------------- Number of entries returned 1 ---------------------------- Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
