On 06/19/2013 12:35 PM, Alexander Bokovoy wrote: > On Wed, 19 Jun 2013, Aly Khimji wrote: >> So as others have mentioned windows obviously isn't my area of focus >> here >> either, however we have this working with 2003r2, but I do notice odd >> behaviour with "id" returning odd results sometimes depending on what >> system I am logged in from or initial logins failing the first time and >> working the second time, would this be a result of 2003 trust vs 2008 >> trust? > Ok, so I have tried another time and went through Windows Server 2003 R2 > setup again. > > You need to select domain functional level Windows Server 2003 and after > that raise forest functional level to Windows Server 2003. > > Only in this case it will work, though without AES encryption (only RC4 > encryption is available). > > See http://technet.microsoft.com/en-us/library/cc738822%28v=ws.10%29.aspx > for Windows specifics. > > In order to raise forest functional level one needs to open 'Active > Directory Domains and Trusts' snap-in and right-click on 'Active > Directory Domains and Trusts' root in the left pane. Then select 'Raise > forest functional level ...' and use "Windows Server 2003" as the level > to raise. > > After that you can try establishing trust from IPA side. > > Here is IPA behavior (the output corresponds to FreeIPA 3.2 but behavior > should be the same in RHEL 6.4): > > # ipa trust-add ad.domain --admin Administrator --password > Active directory domain administrator's password: ipa: ERROR: invalid > 'AD domain controller': unsupported functional level > > (went and raised forest functional level) > # ipa trust-add ad.domain --admin Administrator > --password > > Active directory domain administrator's password: > -------------------------------------------------- > Added Active Directory trust for realm "ad.domain" > -------------------------------------------------- > Realm name: ad.domain > Domain NetBIOS name: ADP > Domain Security Identifier: S-1-5-21-426902846-1951547570-376736459 > SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, > S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, > S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, > S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, > S-1-5-17, > S-1-5-18, S-1-5-19, S-1-5-20 > SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, > S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, > S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, > S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, > S-1-5-17, > S-1-5-18, S-1-5-19, S-1-5-20 > Trust direction: Two-way trust > Trust type: Active Directory domain > Trust status: Established and verified > > > Note that there will be all kinds of issues due to AES encryption keys > are missing -- you would not be able to use IPA credentials to obtain > Kerberos tickets against Windows services, for example. This whole > experiment is rather of a limited value. > > But at least, log-in with PuTTY 0.62 works. >
Should we put this on wiki as a how to? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users