On ti, 14 marras 2017, Zach Bayne wrote:
trust add completes and logs attached.
appreciate the help
Zach, I'd suggest you to re-establish trust again, to re-generate
cross-forest trust object passwords which you made public by posting
link to logs to the list.

Anyway, the trust itself seems to get established just fine. What failed
is an attempt to login as AD user to Web UI. Am I correct?

If so, then you need first to enable each AD user to login by creating
(even empty) ID override for this user in the default trust view:

ipa idoverrideuser-add 'Default Trust View' foo@ad.domain

this would create an empty ID override that should allow foo@ad.domain
to authenticate to IPA LDAP server with GSSAPI. This is exactly what Web
UI needs because it always uses GSSAPI to authenticate to LDAP on behalf
of users trying to login to it.

On Mon, Nov 13, 2017 at 3:01 PM, Alexander Bokovoy <aboko...@redhat.com>

On ma, 13 marras 2017, Zach Bayne via FreeIPA-users wrote:

I have active directory as dc1.ad.domainname and dc2.ad.domainname
I also have freeipa at ipa1.ipa.domainname and ipa2.ipa.domainname
both of them seem to work fine independently, I then created a trust and
set smb min and max to 2. from the server 2k12 side  the trust validates
and from the ipa side i can kinit user@ad.domainname but thats where the
working ends. I can not login to webinterface as ad it says my session has
expired and to relogin. wbinfo status shows ad as offline
both ldap dns records for ipa and ad look correct
[root@ipa1 ~]# wbinfo -n 'AD\Domain Admins'
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name AD\Domain Admins

[root@ipa1 ~]# ipa --version
VERSION: 4.5.0, API_VERSION: 2.228

[root@ipa1 ~]# sssd --version
attached below is the log.wd.ad
I am happy to provide any more information and thank anyone who can help
solve this, have been beaten up for a bit on it.

Forget about looking into Samba logs alone. They aren't relevant here.
IPA uses SSSD to look up users/groups, not winbindd. Winbindd is used by
Samba itself for topology details and not for user lookups. It is
expected to see wbinfo reporting "offline" state because it is not
relevant at all.

and provide information requested there.

/ Alexander Bokovoy

/ Alexander Bokovoy
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to