On Wed, 20 Aug 2014, Baird, Josh wrote:
Hi,

I'm attempting to establish a trust between FreeIPA 3.3 and AD 2008 R2.
My IPA domain consists of two servers (one master and one replica).  I
have verified that DNS is configured properly as the IPA domain can
resolve AD and the AD domain can resolve IPA hosts.

On each IPA server, I performed the following:

$ yum install ipa-server-trust-ad samba-client
$ ipa-adtrust-install

On the main IPA server, I executed the following:

$ ipa trust-add --admin administrator --password

The output of this command suggests that establishing the trust was successful:

-------------------------------------------------
Added Active Directory trust for realm "test.lan"
-------------------------------------------------
 Realm name: test.lan
 Domain NetBIOS name: TEST
 Domain Security Identifier: S-1-5-21-2234298371-4032204425-1996979893
 SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, 
S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, 
S-1-5-12,
                         S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, 
S-1-5-18, S-1-5-19, S-1-5-20
 SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, 
S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, 
S-1-5-12,
                         S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, 
S-1-5-18, S-1-5-19, S-1-5-20
 Trust direction: Two-way trust
 Trust type: Active Directory domain
 Trust status: Established and verified

Additionally, I can also see the IPA domain in Active Directory Domains
and Trusts on the Windows side.  Next, I successfully requested a
service ticket for the AD domain:

$ kvno cifs/vmxxenttest01.test....@test.lan
cifs/vmxxenttest01.test....@test.lan: kvno = 4
$ klist | grep TEST
08/20/2014 11:03:47  08/20/2014 21:03:47  cifs/vmxxenttest01.test....@test.lan
08/20/2014 11:03:47  08/21/2014 11:00:30  krbtgt/test....@qa-unix.domain.com
All is good. At this point, if kvno as IPA user works against AD DC, you
don't need to perform validation from AD side.

Next, I modified /etc/krb5.conf on both IDM servers (master and
replica) and added the following to the [realms] section and restarted
krb5kdc:

auth_to_local = RULE:[1:$1@$0](^.*@TEST.LAN$)s/@TEST.LAN/@TEST.LAN/
auth_to_local = DEFAULT
The AD domain rule is a bit wrong, the last part (replacement) should be
low-cased.

auth_to_local = RULE:[1:$1@$0](^.*@TEST.LAN$)s/@TEST.LAN/@test.lan/

I also modified /etc/sssd/sssd.conf and added "pac" to services and 
"subdomains_provider = ipa."
Did you restart sssd at this point?

Did you try

  getent passwd administra...@test.lan

  or

  id administra...@test.lan
?


Next, I tried to validate the trust from the AD side using the
"Validate" button in AD Domains and Trusts.  Once I click the
'Vaildate' button, I choose "Yes, validate the incoming trust" and
specify the IPA admin account and password and get notified that the
trust cannot be validated due to "There are currently no logon servers
available to service the logon requests."  It suggests that I reset the
trust password, and I accept, but again it fails due to no logon
servers.

I don't really see anything in the krb5kdc.log logs on the IPA servers.
Any ideas how to further troubleshoot this?
As I said, if kvno succeeds as IPA user against AD services, no
additional validation from AD side is needed. Since you did establish
trust using AD admin credentials, IPA did issue request to validate
trust automatically.

You may re-establish trust if you think your actions on AD side broke
something in the trust objects in AD.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to