Looks like I got the rootDSE, 109 lines of information and got the
following at the end.  I don't know much about ldap so I'm guessing this
was successful.  And, yes I did get a ldap/ad.cd ticket.  What should I
look at next?

Thanks,
Steve

isSynchronized: TRUE
isGlobalCatalogReady: TRUE
domainFunctionality: 6
forestFunctionality: 6
domainControllerFunctionality: 6

# search result
search: 4
result: 0 Success

# numResponses: 2
# numEntries: 1


On Thu, Jul 20, 2017 at 3:21 PM, Jakub Hrozek <jhro...@redhat.com> wrote:

> On Thu, Jul 20, 2017 at 12:20:31PM -0400, Steve Weeks via FreeIPA-users
> wrote:
> > We've setup a two-way trust with AD and it seems to have worked, but it
> > doesn't look like it is working correctly.
> >
> > The kerberos commands (kinit and kvno) work fine, but things like 'id
> > adu...@addomain.example.com' and 'getent passwd
> adu...@addomain.example.com'
> > don't work.
> >
> > # ipa trust-add --type ad addomain.example.com --admin adadmin
> --password
> > --two-way=true
> > Active Directory domain administrator's password:
> > -----------------------------------------------------
> > Added Active Directory trust for realm "addomain.example.com"
> > -----------------------------------------------------
> >   Realm name: addomain.example.com
> >   Domain NetBIOS name: ADDOMAIN
> >   Domain Security Identifier: S-1-5-21-2229161606-873856335-779138662
> >   Trust direction: Two-way trust
> >   Trust type: Active Directory domain
> >   Trust status: Established and verified
> >
> > # kinit adu...@addomain.example.com
> > Password for adu...@addomain.example.com:
> >
> > # klist
> > Ticket cache: KEYRING:persistent:0:krb_ccache_o3D2R5S
> > Default principal: adu...@addomain.example.com
> >
> > Valid starting       Expires              Service principal
> > 07/20/2017 12:16:41  07/20/2017 22:16:41  krbtgt/
> > addomain.example....@addomain.example.com
> > renew until 07/21/2017 12:16:38
> >
> > # id adu...@addomain.example.com
> > id: ‘adu...@addomain.example.com’: no such user
> >
> > Is this the best way to test the trust?
> >
> > We are running FreeIPA 4.4 and Windows Server 2012 R2
> >
> > When setting up the trust we needed to modify /etc/hosts as described in
> > https://bugzilla.redhat.com/show_bug.cgi?id=878168
>
> Since the trust is two-way, can you kinit using the system keytab and
> try searching the AD DC? e.g.
>
> kinit -k
> ldapsearch -Y GSSAPI -H ldap://your.ad.dc -s base -b ""
>
> that should return the rootDSE and give you the ldap/your.ad.dc ticket
> in the process if the trust works OK..
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to