On Fri, 27 May 2016, Ben .T.George wrote:
This is what i am getting

[image: Inline image 1]
[image: Inline image 3]
[image: Inline image 4]

And that wizand end with nothing. Please anyone share more info regarding
The wizard asks you to enter the name of the domain, forest, or realm
for the trust. You are entering hostname of IPA master. This is never
going to fly.

In Active Directory terms:
- forest is a set of AD domains
- it is named after the first AD domain created in the forest
- this domain is called 'forest root domain'

In FreeIPA we have a single 'domain' from Active Directory perspective:
- this is the domain corresponding to Kerberos realm name, (ipa.local
  in your case)
- Forest name = forest root domain name = ipa.local

The wizard will then use DNS SRV records to discover IPA masters (AD DCs
for Active Directory view).


On Fri, May 27, 2016 at 10:24 AM, Ben .T.George <bentech4...@gmail.com>

HI Alex.

I Am using windows 2008 R2.

when i am giving IPA's DNS name and click next, the trust wizard is not
going through. But if i am selecting realm trust , atleast the wizard

So which AD version is recommended ?


On Fri, May 27, 2016 at 7:05 AM, Alexander Bokovoy <aboko...@redhat.com>

On Fri, 27 May 2016, Ben .T.George wrote:


i ran some commands from AD side and the Trust status got changed.Below
the command i used on AD

netdom trust <TrustingDomainName> /d:<TrustedDomainName> /verify

Before it was : "waiting for confirmation by remote side" and not it got
changed to "Trust type: Active Directory domain"

But when i am trying to map AD group, it not going through

root@zkwipamstr01 ~]# ipa group-add-member ad_admins_external --external
'MTC_TABS\Domain Users'
[member user]:
[member group]:
Group name: ad_admins_external
Description: ad_domain admins external map
Failed members:
  member user:
  *member group: MTC_TABS\Domain Users: trusted domain object not found *
Number of members added 0

This is what my trust properties from AD. Trust type is showing as realm

It should be 'Forest', not 'realm'. Realm is for plain MIT Kerberos
realm trust which is *not* what IPA provides.

[image: Inline image 1]

How can i fix this issue.

Use correct type of trust when establishing trust on AD side. If your
Windows version does not allow to specify proper trust type, I'm afraid,
there is nothing we can help with.

/ Alexander Bokovoy

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to