Great I basically said just advised that if they want to make all the IDM bells and whistles work with AD and Elevated access they need to move on from a 2k3 as its just not being supported upstream really.
Thanks guys. On Wed, Jun 19, 2013 at 3:24 PM, Ana Krivokapic <[email protected]> wrote: > On 06/19/2013 06:47 PM, Alexander Bokovoy wrote: > > On Wed, 19 Jun 2013, Dmitri Pal wrote: > >> On 06/19/2013 12:35 PM, Alexander Bokovoy wrote: > >>> On Wed, 19 Jun 2013, Aly Khimji wrote: > >>>> So as others have mentioned windows obviously isn't my area of focus > >>>> here > >>>> either, however we have this working with 2003r2, but I do notice odd > >>>> behaviour with "id" returning odd results sometimes depending on what > >>>> system I am logged in from or initial logins failing the first time > and > >>>> working the second time, would this be a result of 2003 trust vs 2008 > >>>> trust? > >>> Ok, so I have tried another time and went through Windows Server 2003 > R2 > >>> setup again. > >>> > >>> You need to select domain functional level Windows Server 2003 and > after > >>> that raise forest functional level to Windows Server 2003. > >>> > >>> Only in this case it will work, though without AES encryption (only RC4 > >>> encryption is available). > >>> > >>> See > http://technet.microsoft.com/en-us/library/cc738822%28v=ws.10%29.aspx > >>> for Windows specifics. > >>> > >>> In order to raise forest functional level one needs to open 'Active > >>> Directory Domains and Trusts' snap-in and right-click on 'Active > >>> Directory Domains and Trusts' root in the left pane. Then select 'Raise > >>> forest functional level ...' and use "Windows Server 2003" as the level > >>> to raise. > >>> > >>> After that you can try establishing trust from IPA side. > >>> > >>> Here is IPA behavior (the output corresponds to FreeIPA 3.2 but > behavior > >>> should be the same in RHEL 6.4): > >>> > >>> # ipa trust-add ad.domain --admin Administrator --password > >>> Active directory domain administrator's password: ipa: ERROR: invalid > >>> 'AD domain controller': unsupported functional level > >>> > >>> (went and raised forest functional level) > >>> # ipa trust-add ad.domain --admin Administrator > >>> --password > >>> Active directory domain administrator's password: > >>> -------------------------------------------------- > >>> Added Active Directory trust for realm "ad.domain" > >>> -------------------------------------------------- > >>> Realm name: ad.domain > >>> Domain NetBIOS name: ADP > >>> Domain Security Identifier: S-1-5-21-426902846-1951547570-376736459 > >>> SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, > >>> S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, > >>> S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, > S-1-5-12, > >>> S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, > >>> S-1-5-17, > >>> S-1-5-18, S-1-5-19, S-1-5-20 > >>> SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, > >>> S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, > >>> S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, > S-1-5-12, > >>> S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, > >>> S-1-5-17, > >>> S-1-5-18, S-1-5-19, S-1-5-20 > >>> Trust direction: Two-way trust > >>> Trust type: Active Directory domain > >>> Trust status: Established and verified > >>> > >>> > >>> Note that there will be all kinds of issues due to AES encryption keys > >>> are missing -- you would not be able to use IPA credentials to obtain > >>> Kerberos tickets against Windows services, for example. This whole > >>> experiment is rather of a limited value. > >>> > >>> But at least, log-in with PuTTY 0.62 works. > >>> > >> > >> Should we put this on wiki as a how to? > > Definitely. If nobody beats me through the night, adding it to > > http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup, I'll do it > > tomorrow. > > > > > > The wiki page has been updated with this information. > > > http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Trusts_and_Windows_Server_2003_R2 > > -- > Regards, > > Ana Krivokapic > Associate Software Engineer > FreeIPA team > Red Hat Inc. > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users >
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
