I've been following the documentation at https://www.freeipa.org/page/Active_Directory_trust_setup and I was able to establish a two-way forest trust with Active Directory. I'm getting stuck when mapping external AD groups into a POSIX group (the "Allow access for users from AD domain to protected resources" section).
I've run the following commands to create and map the groups: ipa group-add --desc='sysops admins external map' sysops_external --external ipa group-add --desc='sysops admins' sysops ipa group-add-member sysops_external --external 'Activedirectory.com\Domain Admins' The last command returns with an error "no trusted domain matched the specified flat name" In /var/log/messages I saw an error message about there not being a kerberos account for ldap/activedirectoryserver@ipaserver, so I've added each host and an ldap service for each. Now, in /var/log/messages, I see "KDC has no support for encryption type" when I attempt to add the group map. CentOS Linux release 7.2.1511 (Core) IPA 4.2.0-15.0.1.el7.centos.6.1.x86_64 This is the command I used to establish the trust: ipa trust-add --type=ad Activedirectory.com --two-way=true --trust-secret When checking everything is setup things seem to be OK: ipa trust-show "Activedirectory.com" Realm name: Activedirectory.com Domain NetBIOS name: ACTIVEDIRECTORY Domain Security Identifier: S-1-5-21-4202716412-292079579-2462381064 Trust direction: Two-way trust Trust type: Active Directory domain ipa trustdomain-find "Activedirectory.com" Domain name: Activedirectory.com Domain NetBIOS name: ACTIVEDIRECTORY Domain Security Identifier: S-1-5-21-4202716412-292079579-2462381064 Domain enabled: True ---------------------------- Number of entries returned 1 ---------------------------- ipa trust-fetch-domains "Activedirectory.com" ------------------------------- No new trust domains were found ------------------------------- ---------------------------- Number of entries returned 0 ----------------------------
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project