On Tue, 2013-03-12 at 15:11 -0400, de Jong, Mark-Jan wrote:
> Hello,
> I'm currently testing forest trusts in v3.0 on CentOS 6.4. I've got a
> trust setup between my IPA forest (nix.ipatest.dom) and my Windows
> forest (ipatest.dom). I have gone though the setup procedure as outlined
> at http://freeipa.org/page/Howto/IPAv3_AD_trust_setup.
> Everything works as described in that document. However, now I want to
> add groups to IPA from another domain in the windows forest
> (us.ipatest.dom) but can't figure out how to proceed. When trying to add
> the a group from the US domain I get the following:
> [root@ipa01 ~]# ipa group-add-member ad_admins_external --external 'US
> \Domain Admins'
> [member user]:
> [member group]:
> ipa: ERROR: invalid Gettext('external member', domain='ipa',
> localedir=None): values are not recognized as valid SIDs from trusted
> domain
> I understand the error, but am not sure how to get this to work.
> Creating a new trust between the IPA forest and the US domain results in
> the following error, presumably because it's a transitive trust:
> [root@ipa01 ~]# ipa trust-add --type=ad us.ipatest.dom --admin
> Administrator --password
> Active directory domain administrator's password:
> ipa: ERROR: invalid Gettext('AD domain controller', domain='ipa',
> localedir=None): unsupported functional level
> Any help would be greatly appreciated!

Sorry Mark-Jan we do not support transitive trusts yet.

We are working on it, stay tuned.


Simo Sorce * Red Hat, Inc * New York

Freeipa-users mailing list

Reply via email to