HI sorry ntp was stopped. now time is in sync. rebooted machine
buy process is not going through *[root@kwtpocpbis01 ~]# ipa group-add-member ad_admins_external --external 'ad_netbios\Domain Admins'* *[member user]:* *[member group]:* * Group name: ad_admins_external* * Description: infra.com <http://infra.com> admins external map* * Failed members:* * member user:* * member group: ad_netbios\Domain Admins: invalid 'trusted domain object': no trusted domain matched the specified flat name* *-------------------------* *Number of members added 0* *-------------------------* *[root@kwtpocpbis01 ~]# ipa group-add-member ad_admins_external --external 'ad_netbios\Domain Users'* *[member user]:* *[member group]:* * Group name: ad_admins_external* * Description: infra.com <http://infra.com> admins external map* * Failed members:* * member user:* * member group: ad_netbios\Domain Users: invalid 'trusted domain object': no trusted domain matched the specified flat name* *-------------------------* *Number of members added 0* *-------------------------* And the error message on error_log is : [Thu Mar 05 09:31:50.146154 2015] [:error] [pid 2101] ipa: INFO: [jsonserver_kerb] admin@SOLARIS.LOCAL: group_add_member(u'ad_admins_external', ipaexternalmember=(u'ad_netbios\\\\Domain Admins',), all=False, raw=False, version=u'2.113', no_members=False): SUCCESS [Thu Mar 05 09:32:15.761885 2015] [:error] [pid 2101] ipa: INFO: [jsonserver_kerb] admin@SOLARIS.LOCAL: group_add_member(u'ad_admins_external', ipaexternalmember=(u'ad_netbios\\\\Domain Users',), all=False, raw=False, version=u'2.113', no_members=False): SUCCESS On Thu, Mar 5, 2015 at 8:52 AM, Alexander Bokovoy <aboko...@redhat.com> wrote: > On Thu, 05 Mar 2015, Ben .T.George wrote: > >> Hi >> >> i have re-installed everything . my current versions are Centos 7 with IPA >> 4.1 >> >> i followed this tutorial: >> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup >> >> when i fetch , it went successful: >> >> *[root@kwtpocpbis01 ~]# ipa trustdomain-find "infra.com <http://infra.com >> >"* >> * Domain name: infra.com <http://infra.com>* >> * Domain NetBIOS name: INFRA* >> * Domain Security Identifier: S-1-5-21-191287045-4012216658-3592112898* >> * Domain enabled: True* >> *----------------------------* >> *Number of entries returned 1* >> *----------------------------* >> *[root@kwtpocpbis01 ~]# ipa trustdomain-find "infra.com <http://infra.com >> >"* >> * Domain name: infra.com <http://infra.com>* >> * Domain NetBIOS name: INFRA* >> * Domain Security Identifier: S-1-5-21-191287045-4012216658-3592112898* >> * Domain enabled: True* >> *----------------------------* >> *Number of entries returned 1* >> *----------------------------* >> >> when i gone through "Allow access for users from AD domain to protected >> resources", i am getting errors, >> >> >> *[root@kwtpocpbis01 ~]# ipa group-add --desc='infra.com <http://infra.com >> > >> users external map' ad_users_external --external* >> *-------------------------------* >> *Added group "ad_users_external"* >> *-------------------------------* >> * Group name: ad_users_external* >> * Description: infra.com <http://infra.com> users external map* >> >> *[root@kwtpocpbis01 ~]# ipa group-add --desc='infra.com <http://infra.com >> > >> users' ad_users* >> *----------------------* >> *Added group "ad_users"* >> *----------------------* >> * Group name: ad_users* >> * Description: infra.com <http://infra.com> users* >> * GID: 643400005* >> >> *[root@kwtpocpbis01 ~]# ipa group-add-member ad_users_external --external >> 'INFRA\Domain Users'* >> *[member user]:* >> *[member group]:* >> * Group name: ad_users_external* >> * Description: infra.com <http://infra.com> users external map* >> * Failed members:* >> * member user:* >> * member group: INFRA\Domain Users: trusted domain object not found* >> *-------------------------* >> *Number of members added 0* >> *-------------------------* >> >> *[root@kwtpocpbis01 ~]# ipa group-add-member ad_users --groups >> ad_users_external* >> * Group name: ad_users* >> * Description: infra.com <http://infra.com> users* >> * GID: 643400005* >> * Member groups: ad_users_external* >> *-------------------------* >> *Number of members added 1* >> *-------------------------* >> >> please help me to solve this issue: >> >> below error is getting on httpd/error_log while trying : *ipa >> group-add-member ad_users_external --external 'INFRA\Domain Users'* >> >> *[Thu Mar 05 11:36:37.371594 2015] [:error] [pid 4090] ipa: WARNING: >> Search >> on AD DC kwtipaad001.infra.com:3268 <http://kwtipaad001.infra.com:3268> >> failed with: Insufficient access: SASL(-1): generic failure: GSSAPI Error: >> Unspecified GSS failure. Minor code may provide more information (Ticket >> not yet valid)* >> *[Thu Mar 05 11:36:37.374280 2015] [:error] [pid 4090] ipa: INFO: >> [jsonserver_kerb] admin@SOLARIS.LOCAL: >> group_add_member(u'ad_users_external', ipaexternalmember=(u'INFRA\\\\ >> Domain >> Users',), all=False, raw=False, version=u'2.113', no_members=False): >> SUCCESS* >> > OK, "Ticket not yet valid" is time synchronization issue -- AD DC has > time behind IPA DC. Check time and time zone settings. > > -- > / Alexander Bokovoy >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
