On la, 16 loka 2021, Jakub Novak via FreeIPA-users wrote:
Hi.
Is possible create trust between FreeIPA (v. 4.9.6) and Samba AD DC (v.
4.13.5)?
I'm tried create trust via this command:
ipa -d -v trust-add --type ad --two-way=true ad.idp.t.dom --admin Administrator
--password
(same command working correctly with Microsoft AD, but i need with Samba AD DC)
but allways I'm getting this error:
ipa: ERROR: an internal error has occurred
Is it even possible to create trust between them? What do I need to do?
Trust between the two should be working. Things to check:
- FreeIPA running on RHEL/CentOS/Fedora and linked with MIT Kerberos. I
assume this part is OK because it works with Microsoft AD in your
case
- both IPA and Samba AD using the same ciphers. In Fedora 33+/RHEL 8.3+ we
disabled RC4-HMAC by default while Samba AD currently has a bug that
prefers RC4-HMAC[1] which was only fixed this week. Enabling
AD-SUPPORT crypto sub-policy one might make RC4-HMAC working again on
IPA side.
In any way, please provide (off list) server debug logs of your attempt to
establish the trust. I don't need output of your 'ipa' command above.
Instead, httpd's error_log and samba logs are needed as outlined in [2]
[1] https://bugzilla.samba.org/show_bug.cgi?id=14864
[2] https://www.freeipa.org/page/Active_Directory_trust_setup#Debugging_trust
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
