Hi: I am trying to finish my integration of FreeIPA with Active Directory, but when I try to add my group information it fails.
# ipa group-add-member ad_admins_external --external 'AD/Domain Admins' member group: AD\Domain Admins: trusted domain object not found As far as I can tell, I have established a trust relationship between my IPA realm (ipa.mydomain.com) and my AD domain (ad.mydomain.com). If I run netdom query /d:AD.MYDOMAIN.COM TRUST I get: <- ipa.mydomain.com Direct I am assuming that the direction (<-) indicates that ipa trusts AD. From the other side, everything looks ok to me: # ipa trustdomain-find AD.MYDOMAIN.COM Domain name: AD.MYDOMAIN.COM Domain NetBIOS name: AD Domain Security Identifier: S-1-5-21-3800000002-3276000039-3459556696 Domain enabled: True ---------------------------- Number of entries returned 1 ---------------------------- In troubleshooting this, I ran: # KRB5_TRACE=/dev/stderr kvno -S cifs ad.mydomain.com The last two lines were:  1505918874.707116: TGS request result: -1765328377/Server cifs/ ad.mydomain....@ipa.mydomain.com not found in Kerberos database kvno: Server cifs/ad.mydomain....@ipa.mydomain.com not found in Kerberos database while getting credentials for cifs/ad.mydomain....@ipa.mydomain.com This led me to try the following (based on a tutorial I found), but with no success: # ipa service-add cifs/ad.mydomain....@ipa.mydomain.com --force ipa: ERROR: The host 'ad.mydomain.com' does not exist to add a service to. I am running CentOS 7 with ipa 4.5; all AD servers are running server 2016. If anyone has any pointers which could help with this, I'd appreciate it. Thanks! Bob
_______________________________________________ FreeIPA-users mailing list -- firstname.lastname@example.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org