Re: [Freeipa-users] Error trying to use trusted AD objects: trusted domain object not found

Sun, 14 May 2017 01:22:23 -0700 

On su, 14 touko 2017, Patrick Hemmer wrote:

I'm working on spinning up a FreeIPA server with an AD trust. I've
followed the official guide
(https://www.freeipa.org/page/Active_Directory_trust_setup), and
everything works up to the point of trying to add external members to
the group. Whenever I try I get:

# ipa group-add-member ad_admins_external --external 'CHEWY\Domain Admins'
[member user]:
[member group]:
 Group name: ad_admins_external
 Description: ad_domain admins external map
 Failed members:
   member user:
   member group: CHEWY\Domain Admins: trusted domain object not found
-------------------------
Number of members added 0
-------------------------


I turned up the debugging to 100, re-established the trust, and tried to
perform the group-add-member again. Logs have uploaded the logs here:
https://s3.amazonaws.com/phemmer-misc/freeipa-logs.tar.gz
I'm just testing the procedure on a couple local development VMs, so
there's nothing sensitive in there.

Confusingly, according to the httpd log the operation was successful:
[Sun May 14 01:49:24.171867 2017] [:error] [pid 23688] ipa: INFO:
[jsonserver_session] admin@LOCAL:
group_add_member/1(u'ad_admins_external',
ipaexternalmember=(u'CHEWY\\\\Domain Admins',), version=u'2.213'): SUCCESS

I'm not sure where the issue here lies. So any insight would be appreciated.


The issue is in your choice of IPA domain name: local. This is not going
to work with AD -- as you can see, there are subtle issues. Even though
AD DC accepts a trust to LOCAL forest, it cannot really operate it
internally, thus even looking up forest topology fails at the point when
IPA framework attempts to authenticate. See [1] for list of limitations
in pure Active Directory for single-label domains.

[1] 
https://support.microsoft.com/en-us/help/300684/deployment-and-operation-of-active-directory-domains-that-are-configured-by-using-single-label-dns-names

We don't recommend using single-label DNS configurations. Even in a lab
environment they are source of various issues.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to