On su, 14 touko 2017, Patrick Hemmer wrote:
I'm working on spinning up a FreeIPA server with an AD trust. I've
followed the official guide
(https://www.freeipa.org/page/Active_Directory_trust_setup), and
everything works up to the point of trying to add external members to
the group. Whenever I try I get:

# ipa group-add-member ad_admins_external --external 'CHEWY\Domain Admins'
[member user]:
[member group]:
 Group name: ad_admins_external
 Description: ad_domain admins external map
 Failed members:
   member user:
   member group: CHEWY\Domain Admins: trusted domain object not found
Number of members added 0

I turned up the debugging to 100, re-established the trust, and tried to
perform the group-add-member again. Logs have uploaded the logs here:
I'm just testing the procedure on a couple local development VMs, so
there's nothing sensitive in there.

Confusingly, according to the httpd log the operation was successful:
[Sun May 14 01:49:24.171867 2017] [:error] [pid 23688] ipa: INFO:
[jsonserver_session] admin@LOCAL:
ipaexternalmember=(u'CHEWY\\\\Domain Admins',), version=u'2.213'): SUCCESS

I'm not sure where the issue here lies. So any insight would be appreciated.

The issue is in your choice of IPA domain name: local. This is not going
to work with AD -- as you can see, there are subtle issues. Even though
AD DC accepts a trust to LOCAL forest, it cannot really operate it
internally, thus even looking up forest topology fails at the point when
IPA framework attempts to authenticate. See [1] for list of limitations
in pure Active Directory for single-label domains.


We don't recommend using single-label DNS configurations. Even in a lab
environment they are source of various issues.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to