On to, 24 marras 2016, Denis Müller wrote:
Hello Guys, we need help to establish a trust from freeipa to ad. Ad
users should be able to access to linux environment, but linux users
not to ad environment.

our setup:

AD Domain:
domain.com, there we have two AD-Controllers installed wird Windows
Server 2008. All users are managed here.

IPA Domain:
wop.domain.com. We would like to sync users from ad to a specific group
to provide user-management in linux environments. In this subdomain we
have 2 ipa-servers: ipa01.wop.domain.com and ipa02.domain.com

Ipa version on both servers is: VERSION: 4.2.0, API_VERSION: 2.156

Both serves have "ipa-server-trust-ad" installed.

[root@ipa01<mailto:root@ipa01> ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
smb Service: RUNNING
winbind Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

kinit admin works as expected !

DNS konfiguration:

[root@ipa01<mailto:root@ipa01> ~]# dig +short -t SRV 
0 100 88 ipa02.wop.domain.com.
0 100 88 ipa01.wop.domain.com.

root@ipa01<mailto:root@ipa01> ~]# dig +short -t TXT _kerberos.wop.domain.com

[root@ipa01<mailto:root@ipa01> ~]# dig +short -t SRV 
0 100 88 ipa02.wop.domain.com.
0 100 88 ipa01.wop.domain.com.

[root@ipa01<mailto:root@ipa01> ~]# dig +short -t SRV 
0 100 88 ipa01.wop.domain.com.
0 100 88 ipa02.wop.domain.com.


Standardserver:  dc2.domain.com

set type=SRV
Server:  dc2.domain.com

Nicht autorisierende Antwort:
_kerberos._udp.wop.domain.com       SRV service location:
         priority       = 0
         weight         = 100
         port           = 88
         svr hostname   = ipa01.wop.domainc.om
_kerberos._udp.wop.rto.de       SRV service location:
         priority       = 0
         weight         = 100
         port           = 88
         svr hostname   = ipa02.wop.domain.com

ipa01.wop.domain.com        internet address =
ipa02.wop.domainc.om        internet address =

DNS looks fine, firewall too.

Providing trust:ipa trust-add --type=ad rto.de --trust-secret 

As a Result:

[root@ipa01<mailto:root@ipa01> ~]# ipa trustdomain-find domain.com
 Domain name: domain.com
 Domain NetBIOS name: DOMAIN (It should be DC2, right?)
 Domain Security Identifier: S-1-5-21-746137067-2052111302-1801674531
 Domain enabled: True

ipa trust-fetch-domain domain.com


[Thu Nov 24 13:43:44.167918 2016] [:error] [pid 9123] ipa: INFO: [jsonserver_session] 
admin@WOP.DOMAIN<file://admin@WOP.DOMAIN>.COM: ping(): SUCCESS
[Thu Nov 24 13:43:44.306718 2016] [:error] [pid 9124] ipa: INFO: [jsonserver_session] 
admin@WOP.DOMAIN<file://admin@WOP.DOMAIN>.COM: trustdomain_find(u'domain.com', 
None, all=False, raw=False, version=u'2.156', pkey_only=False): SUCCESS
[Thu Nov 24 13:45:16.662862 2016] [:error] [pid 9123] ipa: INFO: 401
Unauthorized: Insufficient access: SASL(-1): generic failure: GSSAPI
Error: Unspecified GSS failure.  Minor code may provide more
information (Cannot contact any KDC for realm 'WOP.DOMAIN.COM)

I can't understand the problem.
It looks like IPA master's Kerberos configuration does not allow to
resolve KDCs of unknown realms via DNS.

What do you have in /etc/krb5.conf in the [libdefaults] section:

 dns_lookup_realm = false
 dns_lookup_kdc = false


 dns_lookup_realm = true
 dns_lookup_kdc = true

See manual page for krb5.conf for details on these options.

On AD side we create a trust certifiacte as explained hear:
I'm not sure what do you mean by 'trust certificate', there is no such
thing and no such requirement.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to