> On ti, 11 touko 2021, Owen Vincent via FreeIPA-users wrote: > > I wonder where does it try to perform this operation -- on AD side or on > IPA side. >
This was on the AD side. Our AD Admin opened the TDO in the ADSI Editor and tried to manually set the value of msDS-SupportedEncryptedTypes, which produced the error. That’s part of what brought me here. I was fairly sure our problems had to do with the TDO not having the correct encryption settings (which you have confirmed), but we have also encountered problems setting them manually and I was hoping someone here had had similar issues and maybe even found a solution for them. > > I think it should work. This is basically AD permissions issue. If AD > DCs accept the creds, they'll do the checks and they should be allowing > Incoming Forest Trust Builders group according to the Microsoft's > documentation. > If I can’t figure anything else out, I will likely try this. > > No, this does not work. I just tried and IPA$ user object does not have > write privileges to TDO: > > [root@m1 ~]# kinit -kt /var/lib/sss/keytabs/ad.test.keytab > 'IPA$(a)AD.TEST' > [root@m1 ~]# klist > Ticket cache: KCM:0 > Default principal: IPA$(a)AD.TEST > > Valid starting Expires Service principal > 05/11/21 14:38:14 05/12/21 00:38:14 krbtgt/AD.TEST(a)AD.TEST > renew until 05/12/21 14:38:14 > > [root@m1 ~]# ldapmodify -Y GSSAPI -h dc.ad.test > SASL/GSSAPI authentication started > SASL username: IPA$(a)AD.TEST > SASL SSF: 256 > SASL data security layer installed. > dn: CN=ipa.test,CN=System,DC=ad,DC=test > changetype: modify > replace: msDS-SupportedEncryptionTypes > msDS-SupportedEncryptionTypes: 0 > modifying entry "CN=ipa.test,CN=System,DC=ad,DC=test" > ldap_modify: Insufficient access (50) > additional info: 00002098: SecErr: DSID-03150F9D, problem 4003 > (INSUFF_ACCESS_RIGHTS), > data 0 I kind of assumed that would have been too easy. I wast just taking a guess as you said there was no way to update the entry from IPA side without AD admin credentials “until the trust was verified” which I interpreted to mean that once the trust was verified, it would be possible to push the encryption settings to AD. I guess I was just being too hopeful. I’ll update you once I have talked to the AD admin and tried some of the options we have discussed. Best, Owen _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
