Hello! As I understand from this <https://www.redhat.com/archives/freeipa-users/2016-October/msg00147.html> thread, it should be possible to setup a trust between FreeIPA and Samba4. My AD domain is clients.i.rdmedia.com, it's a subdomain of my FreeIPA domain, i.rdmedia.com. Therefore I added a global forwarder on the Samba AD DC to one of the FreeIPA replica's and lookup of SRV records in both domains appears to work.
However when I try to add the trust I get "ipa: ERROR an internal error has occurred". I ran the trust-add command with full debug logging as described on https://www.freeipa.org/page/Active_Directory_trust_setup#Debugging_trust, so I can provide these logs privately upon request. I suspect some DNS-issue, as right after I try to setup the trust, dynamic updates stop working on the AD Domain Controller with this error: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server DNS/ fluorine.clients.i.rdmedia....@i.rdmedia.com not found in Kerberos database. Failed nsupdate: 1 update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._ sites.ForestDnsZones.clients.i.rdmedia.com fluorine.clients.i.rdmedia.com 389 Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._ sites.ForestDnsZones.clients.i.rdmedia.com fluorine.clients.i.rdmedia.com 389 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.Default-First-Site-Name._ sites.ForestDnsZones.clients.i.rdmedia.com. 900 IN SRV 0 100 389 fluorine.clients.i.rdmedia.com. Many thanks in advance for your assistance. -- Tiemen Ruiten Systems Engineer R&D Media
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project