On ma, 11 joulu 2017, Henrik Johansson via FreeIPA-users wrote:
Hi again,

I have generated debug, both in samba and in sssd and attached the log files. 
From what I can see from the sssd-logfile we are talkin to the AD domain but 
does not find any groups? The rest for the debug files are from the whole 
session including the trust-add. If you could have a quick look at it I would 
be grateful since pretty much stuck here.

Terminal output:
# ipa -v trust-add --type=ad ad.test.net --admin aduser
ipa: INFO: trying https://ipaserver.idm.test.net/ipa/session/json
ipa: INFO: [try 1]: Forwarding 'schema' to json server 
'https://ipaserver.idm.test.net/ipa/session/json'
ipa: INFO: trying https://ipaserver.idm.test.net/ipa/session/json
Active Directory domain administrator's password:
ipa: INFO: [try 1]: Forwarding 'trust_add/1' to json server 
'https://ipaserver.idm.test.net/ipa/session/json'
-----------------------------------------------------
Added Active Directory trust for realm "ad.test.net"
-----------------------------------------------------
 Realm name: ad.test.net
 Domain NetBIOS name: AD
 Domain Security Identifier: S-1-6-42-491525448-2008367481-725548543
 Trust direction: Trusting forest
 Trust type: Active Directory domain
 Trust status: Established and verified

# ipa trust-fetch-domains ad.test.net
----------------------------------------------------------------------------------------
List of trust domains successfully refreshed. Use trustdomain-find command to 
list them.
----------------------------------------------------------------------------------------
----------------------------
Number of entries returned 0
----------------------------
[root@ipaserver samba]# ipa trustdomain-find ad.test.net
 Domain name: ad.test.net
 Domain NetBIOS name: AD
 Domain Security Identifier: S-1-6-42-491525448-2008367481-725548543
 Domain enabled: True

 Domain name: corp.ad.test.net
 Domain NetBIOS name: CORP
 Domain Security Identifier: S-1-6-42-2417082233-1637723082-1916539915
 Domain enabled: True
----------------------------
Number of entries returned 2

]# ipa -v group-add-member ad_users_external --external 'AD\Domain Users'
ipa: INFO: trying https://ipaserver.idm.test.net/ipa/session/json
[member user]:
[member group]:
ipa: INFO: [try 1]: Forwarding 'group_add_member/1' to json server 
'https://ipaserver.idm.test.net/ipa/session/json'
 Group name: ad_users_external
 Description: AD users external map
 Failed members:
   member user:
   member group: AD\Domain Users: trusted domain object not found
-------------------------
Number of members added 0

Did you try with a different group/user? Because Domain Users is a bit
special group in AD, it is Domain Global group. Your logs show that a
search done by SSSD against AD DC does not end up with any 'cn=domain
users' result.

--
/ Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to