Hi,

I'm attempting to establish a trust between FreeIPA 3.3 and AD 2008 R2.  My IPA 
domain consists of two servers (one master and one replica).  I have verified 
that DNS is configured properly as the IPA domain can resolve AD and the AD 
domain can resolve IPA hosts.

On each IPA server, I performed the following:

$ yum install ipa-server-trust-ad samba-client
$ ipa-adtrust-install

On the main IPA server, I executed the following:

$ ipa trust-add --admin administrator --password

The output of this command suggests that establishing the trust was successful:

-------------------------------------------------
Added Active Directory trust for realm "test.lan"
-------------------------------------------------
  Realm name: test.lan
  Domain NetBIOS name: TEST
  Domain Security Identifier: S-1-5-21-2234298371-4032204425-1996979893
  SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, 
S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, 
S-1-5-11, S-1-5-12,
                          S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, 
S-1-5-18, S-1-5-19, S-1-5-20
  SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, 
S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, 
S-1-5-11, S-1-5-12,
                          S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, 
S-1-5-18, S-1-5-19, S-1-5-20
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified

Additionally, I can also see the IPA domain in Active Directory Domains and 
Trusts on the Windows side.  Next, I successfully requested a service ticket 
for the AD domain:

$ kvno cifs/vmxxenttest01.test....@test.lan
cifs/vmxxenttest01.test....@test.lan: kvno = 4
$ klist | grep TEST
08/20/2014 11:03:47  08/20/2014 21:03:47  cifs/vmxxenttest01.test....@test.lan
08/20/2014 11:03:47  08/21/2014 11:00:30  krbtgt/test....@qa-unix.domain.com

Next, I modified /etc/krb5.conf on both IDM servers (master and replica) and 
added the following to the [realms] section and restarted krb5kdc:

auth_to_local = RULE:[1:$1@$0](^.*@TEST.LAN$)s/@TEST.LAN/@TEST.LAN/
auth_to_local = DEFAULT

I also modified /etc/sssd/sssd.conf and added "pac" to services and 
"subdomains_provider = ipa."

Next, I tried to validate the trust from the AD side using the "Validate" 
button in AD Domains and Trusts.  Once I click the 'Vaildate' button, I choose 
"Yes, validate the incoming trust" and specify the IPA admin account and 
password and get notified that the trust cannot be validated due to "There are 
currently no logon servers available to service the logon requests."  It 
suggests that I reset the trust password, and I accept, but again it fails due 
to no logon servers.

I don't really see anything in the krb5kdc.log logs on the IPA servers.  Any 
ideas how to further troubleshoot this?

Thanks,

Josh


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to