Hi Alexander, Thanks for your input. Indeed, Debian still compiles against Heimdal. I've added both devel MLs for Debian, maybe someone can give some input whats needed to get "freeipa-server-trust-ad" working.
@Debian Team: If there is something I can test, please let me know! I know Sid is not for production but I would like to see FreeIPA in Bullseye. Ref.: https://packages.debian.org/en/sid/freeipa-server-trust-ad Fedora 31: HAVE_LIBKADM5SRV_MIT SAMBA_USES_MITKDC Debian Sid: SAMBA4_USES_HEIMDAL I will try Fedora 31 / CentOS 8 then. Kind regards Kevin Am Di., 24. Dez. 2019 um 08:57 Uhr schrieb Alexander Bokovoy <[email protected]>: > > On ti, 24 joulu 2019, Kevin Olbrich via FreeIPA-users wrote: > >Hi! > > > >This is my first FreeIPA setup that needs to be trusted against AD. > >I spent some hours to debug my issue but I need some help: > > > >root@auth1 ~ # ipa trust-add --two-way=true --type=ad intra.example.com > >--admin administrator --password > >Active Directory domain administrator's password: > >ipa: ERROR: CIFS server communication error: code "3221225581", message > >"The attempted logon is invalid. This is either due to a bad username or > >authentication information." (both may be "None") > > > >I've also tried "[email protected]" as well as another > >administrative account with domain admin privileges. > >The password is 100% fine and works for ldapadmin (windows tool) as well as > >windows logons. > > > >DNS is also fine: I set up forwarding of "intra.example.com" from IPA to > >the AD domain and reverse "auth.example.com" from AD to IPA. > > > >WORKS: > >ldapsearch -H ldap://192.168.80.1:389 -x -W -D " > >[email protected]" -b "dc=intra,dc=example,dc=com" -d8 > > > >Environment: Debian Sid, FreeIPA 4.7.2 > > > >Did I miss something? What am I doing wrong here? > > Do not use Debian/Ubuntu for IPA master with trust controller role. > Samba in Debian/Ubuntu is built against Heimdal Kerberos implementation > while 'ipasam' component of FreeIPA (a plugin to Samba) can only be > compiled against MIT Kerberos. The two implementations cannot be mixed > in the same address space when 'smbd' or 'winbindd' processes are > operating, thus it is not possible to use IPA master with trust > controller role on Debian/Ubuntu distributions right now. > > This might change when Samba upstream will fully switch to MIT Kerberos > and Debian/Ubuntu would stop building against Heimdal, but this is not > going to happen any time soon for technical reasons as there are few > important fixes that need to be developed in both MIT Kerberos and > Samba first. This work is ongoing and even though it all affects the > configuration of Samba that FreeIPA is not using, distributions > generally do not ship two different versions of Samba (each built > against own Kerberos implementation), so the end result is that > Debian/Ubuntu version of Samba is not suitable for FreeIPA integration. > > An older bug https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1552249 > was used to track it in Ubuntu but the actual work is happening Samba > and MIT Kerberos upstream, not downstream. Thus, you wouldn't get any > move on Ubuntu or Debian side here. > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
