On Thu, 05 Mar 2015, Ben .T.George wrote:
Hi

i have re-installed everything . my current versions are Centos 7 with IPA
4.1

i followed this tutorial:
http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup

when i fetch , it went successful:

*[root@kwtpocpbis01 ~]# ipa trustdomain-find "infra.com <http://infra.com>"*
*  Domain name: infra.com <http://infra.com>*
*  Domain NetBIOS name: INFRA*
*  Domain Security Identifier: S-1-5-21-191287045-4012216658-3592112898*
*  Domain enabled: True*
*----------------------------*
*Number of entries returned 1*
*----------------------------*
*[root@kwtpocpbis01 ~]# ipa trustdomain-find "infra.com <http://infra.com>"*
*  Domain name: infra.com <http://infra.com>*
*  Domain NetBIOS name: INFRA*
*  Domain Security Identifier: S-1-5-21-191287045-4012216658-3592112898*
*  Domain enabled: True*
*----------------------------*
*Number of entries returned 1*
*----------------------------*

when i gone through "Allow access for users from AD domain to protected
resources", i am getting errors,


*[root@kwtpocpbis01 ~]# ipa group-add --desc='infra.com <http://infra.com>
users external map' ad_users_external --external*
*-------------------------------*
*Added group "ad_users_external"*
*-------------------------------*
*  Group name: ad_users_external*
*  Description: infra.com <http://infra.com> users external map*

*[root@kwtpocpbis01 ~]# ipa group-add --desc='infra.com <http://infra.com>
users' ad_users*
*----------------------*
*Added group "ad_users"*
*----------------------*
*  Group name: ad_users*
*  Description: infra.com <http://infra.com> users*
*  GID: 643400005*

*[root@kwtpocpbis01 ~]# ipa group-add-member ad_users_external --external
'INFRA\Domain Users'*
*[member user]:*
*[member group]:*
*  Group name: ad_users_external*
*  Description: infra.com <http://infra.com> users external map*
*  Failed members:*
*    member user:*
*    member group: INFRA\Domain Users: trusted domain object not found*
*-------------------------*
*Number of members added 0*
*-------------------------*

*[root@kwtpocpbis01 ~]# ipa group-add-member ad_users --groups
ad_users_external*
*  Group name: ad_users*
*  Description: infra.com <http://infra.com> users*
*  GID: 643400005*
*  Member groups: ad_users_external*
*-------------------------*
*Number of members added 1*
*-------------------------*

please help me to solve this issue:

below error is getting on httpd/error_log while trying : *ipa
group-add-member ad_users_external --external 'INFRA\Domain Users'*

*[Thu Mar 05 11:36:37.371594 2015] [:error] [pid 4090] ipa: WARNING: Search
on AD DC kwtipaad001.infra.com:3268 <http://kwtipaad001.infra.com:3268>
failed with: Insufficient access: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure.  Minor code may provide more information (Ticket
not yet valid)*
*[Thu Mar 05 11:36:37.374280 2015] [:error] [pid 4090] ipa: INFO:
[jsonserver_kerb] admin@SOLARIS.LOCAL:
group_add_member(u'ad_users_external', ipaexternalmember=(u'INFRA\\\\Domain
Users',), all=False, raw=False, version=u'2.113', no_members=False):
SUCCESS*
OK, "Ticket not yet valid" is time synchronization issue -- AD DC has
time behind IPA DC. Check time and time zone settings.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to