On Fri, Apr 28, 2017 at 07:27:20PM +0200, Tiemen Ruiten wrote:
> Hello Alexander, list,
> I did get further by specifying --external=true in the ipa trust-add
> command, it works now for *both* the Windows and the Samba domain:
> ipa trust-add office.rdmedia.com --type=ad --admin Administrator --password
> --two-way=false --external=true
> IPA reports the trust is established successfully and I can also see it in
> Active Directory Domains and Trusts. However, adding users/groups to an
> external group fails:
> [root@ipa-ams-01 tiemen]# ipa group-add-member office_admins_external
> --external "OFFICE\domain admins"
> [member user]:
> [member group]:
>   Group name: office_admins_external
>   Description: office.rdmedia.com admins external map
>   Failed members:
>     member user:
>     member group: *OFFICE\domain admins: trusted domain object not found*
> -------------------------
> Number of members added 0
> -------------------------

Domain Admins is a domain-local group typically. I would advise against
using those for cross-forest trust memberships in general.

Can you also check if you can resolve objects from the trusted AD/Samba
domain? Try:
    getent passwd administra...@office.rdmedia.com
for example.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to