On ke, 20 syys 2017, Bobby Jones via FreeIPA-users wrote:
I am trying to finish my integration of FreeIPA with Active Directory, but
when I try to add my group information it fails.
# ipa group-add-member ad_admins_external --external 'AD/Domain Admins'
member group: AD\Domain Admins: trusted domain object not found
As far as I can tell, I have established a trust relationship between my
IPA realm (ipa.mydomain.com) and my AD domain (ad.mydomain.com). If I run
netdom query /d:AD.MYDOMAIN.COM TRUST I get:
<- ipa.mydomain.com Direct
I am assuming that the direction (<-) indicates that ipa trusts AD. From
the other side, everything looks ok to me:
# ipa trustdomain-find AD.MYDOMAIN.COM
Domain name: AD.MYDOMAIN.COM
Domain NetBIOS name: AD
Domain Security Identifier: S-1-5-21-3800000002-3276000039-3459556696
Domain enabled: True
Number of entries returned 1
In troubleshooting this, I ran:
# KRB5_TRACE=/dev/stderr kvno -S cifs ad.mydomain.com
is it really ad.mydomain.com as a host name? What is your real AD
domain? What is a real AD DC hostname?
The last two lines were:
 1505918874.707116: TGS request result: -1765328377/Server cifs/
ad.mydomain....@ipa.mydomain.com not found in Kerberos database
kvno: Server cifs/ad.mydomain....@ipa.mydomain.com not found in Kerberos
database while getting credentials for cifs/ad.mydomain....@ipa.mydomain.com
This means IPA KDC doesn't know that ad.mydomain.com belongs to
realm AD.MYDOMAIN.COM. This should be suspicious.
Start from beginning.
How exactly did you establish the trust? Show a command that was used to
If you can re-establish it, add 'log level = 10' to
/usr/share/ipa/smb.conf.empty and re-run 'ipa trust-add'. You'll get a
lot of details in /var/log/httpd/error_log that show what AD thinks
about the trust.
This led me to try the following (based on a tutorial I found), but with no
# ipa service-add cifs/ad.mydomain....@ipa.mydomain.com --force
ipa: ERROR: The host 'ad.mydomain.com' does not exist to add a service to.
I wonder what is this (a tutorial)? This is absolute nonsense.
Debugging 4.5 is a new experience. Read my article about it:
I am running CentOS 7 with ipa 4.5; all AD servers are running server 2016.
If anyone has any pointers which could help with this, I'd appreciate it.
However, for trust to AD nothing changed. If your KDC doesn't seem to
understand how to reach AD DCs for ad.mydomain.com, you have a
/ Alexander Bokovoy
FreeIPA-users mailing list -- email@example.com
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org