On Wed, 19 Jun 2013, Aly Khimji wrote:
So as others have mentioned windows obviously isn't my area of focus here
either, however we have this working with 2003r2, but I do notice odd
behaviour with "id" returning odd results sometimes depending on what
system I am logged in from or initial logins failing the first time and
working the second time, would this be a result of 2003 trust vs 2008 trust?
Ok, so I have tried another time and went through Windows Server 2003 R2
setup again.

You need to select domain functional level Windows Server 2003 and after
that raise forest functional level to Windows Server 2003.

Only in this case it will work, though without AES encryption (only RC4
encryption is available).

See http://technet.microsoft.com/en-us/library/cc738822%28v=ws.10%29.aspx
for Windows specifics.

In order to raise forest functional level one needs to open 'Active
Directory Domains and Trusts' snap-in and right-click on 'Active
Directory Domains and Trusts' root in the left pane. Then select 'Raise
forest functional level ...' and use "Windows Server 2003" as the level
to raise.

After that you can try establishing trust from IPA side.

Here is IPA behavior (the output corresponds to FreeIPA 3.2 but behavior
should be the same in RHEL 6.4):

# ipa trust-add ad.domain --admin Administrator --password
Active directory domain administrator's password: ipa: ERROR: invalid 'AD domain controller': unsupported functional level

(went and raised forest functional level)
# ipa trust-add ad.domain --admin Administrator --password Active directory domain administrator's password: --------------------------------------------------
Added Active Directory trust for realm "ad.domain"
--------------------------------------------------
  Realm name: ad.domain
  Domain NetBIOS name: ADP
  Domain Security Identifier: S-1-5-21-426902846-1951547570-376736459
  SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2,
                          S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7,
                          S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12,
                          S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17,
                          S-1-5-18, S-1-5-19, S-1-5-20
  SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2,
                          S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7,
                          S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12,
                          S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17,
                          S-1-5-18, S-1-5-19, S-1-5-20
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified


Note that there will be all kinds of issues due to AES encryption keys
are missing -- you would not be able to use IPA credentials to obtain
Kerberos tickets against Windows services, for example. This whole
experiment is rather of a limited value.

But at least, log-in with PuTTY 0.62 works.

--
/ Alexander Bokovoy

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to