On Thu, Jul 20, 2017 at 12:20:31PM -0400, Steve Weeks via FreeIPA-users wrote:
> We've setup a two-way trust with AD and it seems to have worked, but it
> doesn't look like it is working correctly.
> 
> The kerberos commands (kinit and kvno) work fine, but things like 'id
> adu...@addomain.example.com' and 'getent passwd adu...@addomain.example.com'
> don't work.
> 
> # ipa trust-add --type ad addomain.example.com --admin adadmin --password
> --two-way=true
> Active Directory domain administrator's password:
> -----------------------------------------------------
> Added Active Directory trust for realm "addomain.example.com"
> -----------------------------------------------------
>   Realm name: addomain.example.com
>   Domain NetBIOS name: ADDOMAIN
>   Domain Security Identifier: S-1-5-21-2229161606-873856335-779138662
>   Trust direction: Two-way trust
>   Trust type: Active Directory domain
>   Trust status: Established and verified
> 
> # kinit adu...@addomain.example.com
> Password for adu...@addomain.example.com:
> 
> # klist
> Ticket cache: KEYRING:persistent:0:krb_ccache_o3D2R5S
> Default principal: adu...@addomain.example.com
> 
> Valid starting       Expires              Service principal
> 07/20/2017 12:16:41  07/20/2017 22:16:41  krbtgt/
> addomain.example....@addomain.example.com
> renew until 07/21/2017 12:16:38
> 
> # id adu...@addomain.example.com
> id: ‘adu...@addomain.example.com’: no such user
> 
> Is this the best way to test the trust?
> 
> We are running FreeIPA 4.4 and Windows Server 2012 R2
> 
> When setting up the trust we needed to modify /etc/hosts as described in
> https://bugzilla.redhat.com/show_bug.cgi?id=878168

Since the trust is two-way, can you kinit using the system keytab and
try searching the AD DC? e.g.

kinit -k
ldapsearch -Y GSSAPI -H ldap://your.ad.dc -s base -b ""

that should return the rootDSE and give you the ldap/your.ad.dc ticket
in the process if the trust works OK..
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to