Greetings, folks.

So, I've been fighting with getting a trust set up between FreeIPA 4.1 on CentOS 7.1 and Windows Server 2008r2 for nearly a week. Today I finally came to a conclusion as to what my issue is.


I operate a secure network in which we have configuration guidlines for securing Windows that we have to meet in order to recieve what's known as an "Authority to Operate", or ATO. A lot of this configuration is done in the Global Policies.

Today I stumbled across one error buried in the Windows Security event log, and when correllated with the errors I was seeing from FreeIPA led me to our policy. The error that popped up in the event log was "The user has not been granted the requested logon type at this machine." The logon type was "3", which is network, and the Logon Process and Authorization Package were both Kerberos.

Cross referenced with the error on the IPA server:
"WARNING: Search on AD DC WINSRV.ad.domain.net:3268 failed with: Insufficient access: 8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 569, v1db1 Invalid Credentials"

Digging into our Domain Controller policy, I found that "Access this computer from the network" is restricted to Domain Users, Domain Controllers, Domain Computers, Domain Admins, and BUILTIN\Administrators. I attempted to add a context that would allow the IPA server to log on, and got so far through the wizard that it let me select the trusted domain to search and returned a list of security contexts, but when I attempted to add one (Authenticated Users), I recieved the error that it couldn't be found because the server was inaccessable. I saw no errors on the IPA side during this transaction.

So, to those of y'all that operate in secure environments, what trick do you use to fully integrate IPA and Active Directory?

--
Dan Mossor, RHCSA
Systems Engineer
Fedora Server WG | Fedora KDE WG | Fedora QA Team
Fedora Infrastructure Apprentice
FAS: dmossor IRC: danofsatx
San Antonio, Texas, USA

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to