So, I've been fighting with getting a trust set up between FreeIPA 4.1
on CentOS 7.1 and Windows Server 2008r2 for nearly a week. Today I
finally came to a conclusion as to what my issue is.
I operate a secure network in which we have configuration guidlines for
securing Windows that we have to meet in order to recieve what's known
as an "Authority to Operate", or ATO. A lot of this configuration is
done in the Global Policies.
Today I stumbled across one error buried in the Windows Security event
log, and when correllated with the errors I was seeing from FreeIPA led
me to our policy. The error that popped up in the event log was "The
user has not been granted the requested logon type at this machine." The
logon type was "3", which is network, and the Logon Process and
Authorization Package were both Kerberos.
Cross referenced with the error on the IPA server:
"WARNING: Search on AD DC WINSRV.ad.domain.net:3268 failed with:
Insufficient access: 8009030C: LdapErr: DSID-0C0904DC, comment:
AcceptSecurityContext error, data 569, v1db1 Invalid Credentials"
Digging into our Domain Controller policy, I found that "Access this
computer from the network" is restricted to Domain Users, Domain
Controllers, Domain Computers, Domain Admins, and
BUILTIN\Administrators. I attempted to add a context that would allow
the IPA server to log on, and got so far through the wizard that it let
me select the trusted domain to search and returned a list of security
contexts, but when I attempted to add one (Authenticated Users), I
recieved the error that it couldn't be found because the server was
inaccessable. I saw no errors on the IPA side during this transaction.
So, to those of y'all that operate in secure environments, what trick do
you use to fully integrate IPA and Active Directory?
Dan Mossor, RHCSA
Fedora Server WG | Fedora KDE WG | Fedora QA Team
Fedora Infrastructure Apprentice
FAS: dmossor IRC: danofsatx
San Antonio, Texas, USA
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project