I am trying to finish my integration of FreeIPA with Active Directory, but
when I try to add my group information it fails.

# ipa group-add-member ad_admins_external --external 'AD/Domain Admins'
   member group: AD\Domain Admins: trusted domain object not found

As far as I can tell, I have established a trust relationship between my
IPA realm (ipa.mydomain.com) and my AD domain (ad.mydomain.com). If I run
netdom query /d:AD.MYDOMAIN.COM TRUST I get:

<-   ipa.mydomain.com   Direct

I am assuming that the direction (<-) indicates that ipa trusts AD. From
the other side, everything looks ok to me:

# ipa trustdomain-find AD.MYDOMAIN.COM
  Domain name: AD.MYDOMAIN.COM
  Domain NetBIOS name: AD
  Domain Security Identifier: S-1-5-21-3800000002-3276000039-3459556696
  Domain enabled: True
Number of entries returned 1

In troubleshooting this, I ran:
# KRB5_TRACE=/dev/stderr kvno -S cifs ad.mydomain.com
The last two lines were:

[16487] 1505918874.707116: TGS request result: -1765328377/Server cifs/
ad.mydomain....@ipa.mydomain.com not found in Kerberos database
kvno: Server cifs/ad.mydomain....@ipa.mydomain.com not found in Kerberos
database while getting credentials for cifs/ad.mydomain....@ipa.mydomain.com

This led me to try the following (based on a tutorial I found), but with no

# ipa service-add cifs/ad.mydomain....@ipa.mydomain.com --force
ipa: ERROR: The host 'ad.mydomain.com' does not exist to add a service to.

I am running CentOS 7 with ipa 4.5; all AD servers are running server 2016.
If anyone has any pointers which could help with this, I'd appreciate it.


FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to