I am trying to finish my integration of FreeIPA with Active Directory, but
when I try to add my group information it fails.
# ipa group-add-member ad_admins_external --external 'AD/Domain Admins'
member group: AD\Domain Admins: trusted domain object not found
As far as I can tell, I have established a trust relationship between my
IPA realm (ipa.mydomain.com) and my AD domain (ad.mydomain.com). If I run
netdom query /d:AD.MYDOMAIN.COM TRUST I get:
<- ipa.mydomain.com Direct
I am assuming that the direction (<-) indicates that ipa trusts AD. From
the other side, everything looks ok to me:
# ipa trustdomain-find AD.MYDOMAIN.COM
Domain name: AD.MYDOMAIN.COM
Domain NetBIOS name: AD
Domain Security Identifier: S-1-5-21-3800000002-3276000039-3459556696
Domain enabled: True
Number of entries returned 1
In troubleshooting this, I ran:
# KRB5_TRACE=/dev/stderr kvno -S cifs ad.mydomain.com
The last two lines were:
 1505918874.707116: TGS request result: -1765328377/Server cifs/
ad.mydomain....@ipa.mydomain.com not found in Kerberos database
kvno: Server cifs/ad.mydomain....@ipa.mydomain.com not found in Kerberos
database while getting credentials for cifs/ad.mydomain....@ipa.mydomain.com
This led me to try the following (based on a tutorial I found), but with no
# ipa service-add cifs/ad.mydomain....@ipa.mydomain.com --force
ipa: ERROR: The host 'ad.mydomain.com' does not exist to add a service to.
I am running CentOS 7 with ipa 4.5; all AD servers are running server 2016.
If anyone has any pointers which could help with this, I'd appreciate it.
FreeIPA-users mailing list -- email@example.com
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org