On Tue, 2013-03-12 at 15:11 -0400, de Jong, Mark-Jan wrote: > Hello, > I'm currently testing forest trusts in v3.0 on CentOS 6.4. I've got a > trust setup between my IPA forest (nix.ipatest.dom) and my Windows > forest (ipatest.dom). I have gone though the setup procedure as outlined > at http://freeipa.org/page/Howto/IPAv3_AD_trust_setup. > > Everything works as described in that document. However, now I want to > add groups to IPA from another domain in the windows forest > (us.ipatest.dom) but can't figure out how to proceed. When trying to add > the a group from the US domain I get the following: > > [root@ipa01 ~]# ipa group-add-member ad_admins_external --external 'US > \Domain Admins' > [member user]: > [member group]: > ipa: ERROR: invalid Gettext('external member', domain='ipa', > localedir=None): values are not recognized as valid SIDs from trusted > domain > > I understand the error, but am not sure how to get this to work. > Creating a new trust between the IPA forest and the US domain results in > the following error, presumably because it's a transitive trust: > > [root@ipa01 ~]# ipa trust-add --type=ad us.ipatest.dom --admin > Administrator --password > Active directory domain administrator's password: > ipa: ERROR: invalid Gettext('AD domain controller', domain='ipa', > localedir=None): unsupported functional level > > Any help would be greatly appreciated!
Sorry Mark-Jan we do not support transitive trusts yet. We are working on it, stay tuned. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users