On Wed, 08 Oct 2014, Genadi Postrilko wrote:
The forest root domain in my case is RED.COM.
You need to establish trust to red.com then. Any domain which is member
of the forest red.com will be visible through trust.

Forest trust can only be established between forest root domains, that's
how it is designed by Microsoft.


I have attached the log files.
These logs show you are attempting to establish trust to blue.com which
is not a forest root domain, thus nothing works.


2014-10-08 14:15 GMT+02:00 Alexander Bokovoy <aboko...@redhat.com>:

On Wed, 08 Oct 2014, Genadi Postrilko wrote:

Both Domain functional level and Forest functional level are Windows
Server
2008 R2.

You need to check if the AD DC server IPA tries to contact has PDC
emulator role _and_ is a domain controller for the root domain of the
forest.

I've added some fixes to enforce this checked in 4.0 (and backported to
3.3 in some RHEL 7 update which is not yet pushed out) but the easiest
thing to ensure you are using right domains and right servers.

forest root domain = first domain created in the forest. If forest name
is example.com, then that's the forest root domain as well.

Using http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#
Debugging_trust
you can generate proper logs to see where the issue is.



2014-10-08 9:24 GMT+02:00 Sumit Bose <sb...@redhat.com>:

 On Wed, Oct 08, 2014 at 02:42:47AM +0200, Genadi Postrilko wrote:
> Hello.
>
> I am attempting to create trust between AD and IPA.
>
> I have deployed AD environment as follows:
>
> I have created domain RED.COM
> Then i add new domain tree root - BLUE.COM.
>
> Now i would like to establish trust with IPA as a sub domain (
LINUX.BLUE.COM)
> of BLUE.COM.
>
> I followed the guide and when reaching to trust agreement creation i
> stumbled into this error:
>
>  ipa trust-add --type=ad blue.com --admin Administrator --password
> Active directory domain administrator's password:
> ipa: ERROR: invalid 'AD domain controller': unsupported functional
level

can you check the domain and forest functional levels of your domains?
You can find this information in the 'Active Directory Domains and
Trusts' utility by right-clicking the domain name and selecting
properties? iirc the minimal level we support in 2003R2.

bye,
Sumit

>
> Both AD server are 2008 R2.
> IPA version is 3.3, installed on RHEL 7.
>
> Help will be appreciated.
>
> Genadi.

> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project



 --
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project



--
/ Alexander Bokovoy




--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to