hey guys, so at this point in time we haven't been having any issues, but I am not 100% if the odd issues we have been having have been related to 2003 vs 2008 issue
when we joined our IPA server to the 2003r2 we got the following output [root@didmsvrua01 ~]# ipa trust-add --type=ad corpnonprd.xxxx.com --admin Administrator --password Active directory domain administrator's password: -------------------------------------------------------------- Added Active Directory trust for realm "CorpNonPrd.xxxx.com" -------------------------------------------------------------- Realm name: CorpNonPrd.xxxx.com Domain NetBIOS name: CORPNONPRD Domain Security Identifier: S-1-5-21-417068303-3117552414-2168216644 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified [root@didmsvrua01 ~]# This looks slightly different than yours, does this look like a properly established trust? I don't' seem to have any issues in regards to AES, and trust users can log into clients however there are issues where the first attempt takes a long time to login to the point of timeout and the second one works Aly On Wed, Jun 19, 2013 at 12:47 PM, Alexander Bokovoy <[email protected]>wrote: > On Wed, 19 Jun 2013, Dmitri Pal wrote: > >> On 06/19/2013 12:35 PM, Alexander Bokovoy wrote: >> >>> On Wed, 19 Jun 2013, Aly Khimji wrote: >>> >>>> So as others have mentioned windows obviously isn't my area of focus >>>> here >>>> either, however we have this working with 2003r2, but I do notice odd >>>> behaviour with "id" returning odd results sometimes depending on what >>>> system I am logged in from or initial logins failing the first time and >>>> working the second time, would this be a result of 2003 trust vs 2008 >>>> trust? >>>> >>> Ok, so I have tried another time and went through Windows Server 2003 R2 >>> setup again. >>> >>> You need to select domain functional level Windows Server 2003 and after >>> that raise forest functional level to Windows Server 2003. >>> >>> Only in this case it will work, though without AES encryption (only RC4 >>> encryption is available). >>> >>> See http://technet.microsoft.com/**en-us/library/cc738822%28v=ws.** >>> 10%29.aspx<http://technet.microsoft.com/en-us/library/cc738822%28v=ws.10%29.aspx> >>> for Windows specifics. >>> >>> In order to raise forest functional level one needs to open 'Active >>> Directory Domains and Trusts' snap-in and right-click on 'Active >>> Directory Domains and Trusts' root in the left pane. Then select 'Raise >>> forest functional level ...' and use "Windows Server 2003" as the level >>> to raise. >>> >>> After that you can try establishing trust from IPA side. >>> >>> Here is IPA behavior (the output corresponds to FreeIPA 3.2 but behavior >>> should be the same in RHEL 6.4): >>> >>> # ipa trust-add ad.domain --admin Administrator --password >>> Active directory domain administrator's password: ipa: ERROR: invalid >>> 'AD domain controller': unsupported functional level >>> >>> (went and raised forest functional level) >>> # ipa trust-add ad.domain --admin Administrator >>> --password >>> Active directory domain administrator's password: >>> ------------------------------**-------------------- >>> Added Active Directory trust for realm "ad.domain" >>> ------------------------------**-------------------- >>> Realm name: ad.domain >>> Domain NetBIOS name: ADP >>> Domain Security Identifier: S-1-5-21-426902846-1951547570-**376736459 >>> SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, >>> S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, >>> S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, >>> S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, >>> S-1-5-17, >>> S-1-5-18, S-1-5-19, S-1-5-20 >>> SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, >>> S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, >>> S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, >>> S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, >>> S-1-5-17, >>> S-1-5-18, S-1-5-19, S-1-5-20 >>> Trust direction: Two-way trust >>> Trust type: Active Directory domain >>> Trust status: Established and verified >>> >>> >>> Note that there will be all kinds of issues due to AES encryption keys >>> are missing -- you would not be able to use IPA credentials to obtain >>> Kerberos tickets against Windows services, for example. This whole >>> experiment is rather of a limited value. >>> >>> But at least, log-in with PuTTY 0.62 works. >>> >>> >> Should we put this on wiki as a how to? >> > Definitely. If nobody beats me through the night, adding it to > http://www.freeipa.org/page/**Howto/IPAv3_AD_trust_setup<http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup>, > I'll do it > tomorrow. > > > -- > / Alexander Bokovoy > > > ______________________________**_________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users> >
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
