On su, 14 touko 2017, Patrick Hemmer wrote:
I'm working on spinning up a FreeIPA server with an AD trust. I've
followed the official guide
everything works up to the point of trying to add external members to
the group. Whenever I try I get:
# ipa group-add-member ad_admins_external --external 'CHEWY\Domain Admins'
Group name: ad_admins_external
Description: ad_domain admins external map
member group: CHEWY\Domain Admins: trusted domain object not found
Number of members added 0
I turned up the debugging to 100, re-established the trust, and tried to
perform the group-add-member again. Logs have uploaded the logs here:
I'm just testing the procedure on a couple local development VMs, so
there's nothing sensitive in there.
Confusingly, according to the httpd log the operation was successful:
[Sun May 14 01:49:24.171867 2017] [:error] [pid 23688] ipa: INFO:
ipaexternalmember=(u'CHEWY\\\\Domain Admins',), version=u'2.213'): SUCCESS
I'm not sure where the issue here lies. So any insight would be appreciated.
The issue is in your choice of IPA domain name: local. This is not going
to work with AD -- as you can see, there are subtle issues. Even though
AD DC accepts a trust to LOCAL forest, it cannot really operate it
internally, thus even looking up forest topology fails at the point when
IPA framework attempts to authenticate. See  for list of limitations
in pure Active Directory for single-label domains.
We don't recommend using single-label DNS configurations. Even in a lab
environment they are source of various issues.
/ Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project