On ke, 20 syys 2017, Bobby Jones via FreeIPA-users wrote:

I am trying to finish my integration of FreeIPA with Active Directory, but
when I try to add my group information it fails.

# ipa group-add-member ad_admins_external --external 'AD/Domain Admins'
  member group: AD\Domain Admins: trusted domain object not found

As far as I can tell, I have established a trust relationship between my
IPA realm (ipa.mydomain.com) and my AD domain (ad.mydomain.com). If I run
netdom query /d:AD.MYDOMAIN.COM TRUST I get:

<-   ipa.mydomain.com   Direct

I am assuming that the direction (<-) indicates that ipa trusts AD. From
the other side, everything looks ok to me:

# ipa trustdomain-find AD.MYDOMAIN.COM
 Domain name: AD.MYDOMAIN.COM
 Domain NetBIOS name: AD
 Domain Security Identifier: S-1-5-21-3800000002-3276000039-3459556696
 Domain enabled: True
Number of entries returned 1

In troubleshooting this, I ran:
# KRB5_TRACE=/dev/stderr kvno -S cifs ad.mydomain.com
is it really ad.mydomain.com as a host name? What is your real AD
domain? What is a real AD DC hostname?

The last two lines were:

[16487] 1505918874.707116: TGS request result: -1765328377/Server cifs/
ad.mydomain....@ipa.mydomain.com not found in Kerberos database
kvno: Server cifs/ad.mydomain....@ipa.mydomain.com not found in Kerberos
database while getting credentials for cifs/ad.mydomain....@ipa.mydomain.com
This means IPA KDC doesn't know that ad.mydomain.com belongs to
realm AD.MYDOMAIN.COM. This should be suspicious.

Start from beginning.
How exactly did you establish the trust? Show a command that was used to
establish trust.

If you can re-establish it, add 'log level = 10' to
/usr/share/ipa/smb.conf.empty and re-run 'ipa trust-add'. You'll get a
lot of details in /var/log/httpd/error_log that show what AD thinks
about the trust.

This led me to try the following (based on a tutorial I found), but with no

# ipa service-add cifs/ad.mydomain....@ipa.mydomain.com --force
ipa: ERROR: The host 'ad.mydomain.com' does not exist to add a service to.
I wonder what is this (a tutorial)? This is absolute nonsense.

I am running CentOS 7 with ipa 4.5; all AD servers are running server 2016.
If anyone has any pointers which could help with this, I'd appreciate it.
Debugging 4.5 is a new experience. Read my article about it: https://vda.li/en/docs/freeipa-debug-privsep/

However, for trust to AD nothing changed. If your KDC doesn't seem to
understand how to reach AD DCs for ad.mydomain.com, you have a
fundamental problem.

/ Alexander Bokovoy
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to