Hello Guys, we need help to establish a trust from freeipa to ad. Ad users 
should be able to access to linux environment, but linux users not to ad 

our setup:

AD Domain:
domain.com, there we have two AD-Controllers installed wird Windows Server 
2008. All users are managed here.

IPA Domain:
wop.domain.com. We would like to sync users from ad to a specific group to 
provide user-management in linux environments. In this subdomain we have 2 
ipa-servers: ipa01.wop.domain.com and ipa02.domain.com

Ipa version on both servers is: VERSION: 4.2.0, API_VERSION: 2.156

Both serves have "ipa-server-trust-ad" installed.

[root@ipa01<mailto:root@ipa01> ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
smb Service: RUNNING
winbind Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

kinit admin works as expected !

DNS konfiguration:

[root@ipa01<mailto:root@ipa01> ~]# dig +short -t SRV 
0 100 88 ipa02.wop.domain.com.
0 100 88 ipa01.wop.domain.com.

root@ipa01<mailto:root@ipa01> ~]# dig +short -t TXT _kerberos.wop.domain.com

[root@ipa01<mailto:root@ipa01> ~]# dig +short -t SRV 
0 100 88 ipa02.wop.domain.com.
0 100 88 ipa01.wop.domain.com.

[root@ipa01<mailto:root@ipa01> ~]# dig +short -t SRV 
0 100 88 ipa01.wop.domain.com.
0 100 88 ipa02.wop.domain.com.


Standardserver:  dc2.domain.com

> set type=SRV
> _kerberos._udp.wop.domain.com.
Server:  dc2.domain.com

Nicht autorisierende Antwort:
_kerberos._udp.wop.domain.com       SRV service location:
          priority       = 0
          weight         = 100
          port           = 88
          svr hostname   = ipa01.wop.domainc.om
_kerberos._udp.wop.rto.de       SRV service location:
          priority       = 0
          weight         = 100
          port           = 88
          svr hostname   = ipa02.wop.domain.com

ipa01.wop.domain.com        internet address =
ipa02.wop.domainc.om        internet address =

DNS looks fine, firewall too.

Providing trust:ipa trust-add --type=ad rto.de --trust-secret 

As a Result:

[root@ipa01<mailto:root@ipa01> ~]# ipa trustdomain-find domain.com
  Domain name: domain.com
  Domain NetBIOS name: DOMAIN (It should be DC2, right?)
  Domain Security Identifier: S-1-5-21-746137067-2052111302-1801674531
  Domain enabled: True

ipa trust-fetch-domain domain.com


[Thu Nov 24 13:43:44.167918 2016] [:error] [pid 9123] ipa: INFO: 
[jsonserver_session] admin@WOP.DOMAIN<file://admin@WOP.DOMAIN>.COM: ping(): 
[Thu Nov 24 13:43:44.306718 2016] [:error] [pid 9124] ipa: INFO: 
[jsonserver_session] admin@WOP.DOMAIN<file://admin@WOP.DOMAIN>.COM: 
trustdomain_find(u'domain.com', None, all=False, raw=False, version=u'2.156', 
pkey_only=False): SUCCESS
[Thu Nov 24 13:45:16.662862 2016] [:error] [pid 9123] ipa: INFO: 401 
Unauthorized: Insufficient access: SASL(-1): generic failure: GSSAPI Error: 
Unspecified GSS failure.  Minor code may provide more information (Cannot 
contact any KDC for realm 'WOP.DOMAIN.COM)

I can't understand the problem.

On AD side we create a trust certifiacte as explained hear:

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to