[Freeipa-users] Re: Two way trust problem
On Fri, Jul 21, 2017 at 05:53:57AM -0400, Steve Weeks via FreeIPA-users wrote: > Looks like I got the rootDSE, 109 lines of information and got the > following at the end. I don't know much about ldap so I'm guessing this > was successful Yes, so the trust indeed works. >. And, yes I did get a ldap/ad.cd ticket. What should I > look at next? SSSD on the server itself. Please check out https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html, hopefully the server-side sssd logs would help.. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Two way trust problem
On Thu, Jul 20, 2017 at 12:20:31PM -0400, Steve Weeks via FreeIPA-users wrote: > We've setup a two-way trust with AD and it seems to have worked, but it > doesn't look like it is working correctly. > > The kerberos commands (kinit and kvno) work fine, but things like 'id > adu...@addomain.example.com' and 'getent passwd adu...@addomain.example.com' > don't work. > > # ipa trust-add --type ad addomain.example.com --admin adadmin --password > --two-way=true > Active Directory domain administrator's password: > - > Added Active Directory trust for realm "addomain.example.com" > - > Realm name: addomain.example.com > Domain NetBIOS name: ADDOMAIN > Domain Security Identifier: S-1-5-21-2229161606-873856335-779138662 > Trust direction: Two-way trust > Trust type: Active Directory domain > Trust status: Established and verified > > # kinit adu...@addomain.example.com > Password for adu...@addomain.example.com: > > # klist > Ticket cache: KEYRING:persistent:0:krb_ccache_o3D2R5S > Default principal: adu...@addomain.example.com > > Valid starting Expires Service principal > 07/20/2017 12:16:41 07/20/2017 22:16:41 krbtgt/ > addomain.example@addomain.example.com > renew until 07/21/2017 12:16:38 > > # id adu...@addomain.example.com > id: ‘adu...@addomain.example.com’: no such user > > Is this the best way to test the trust? > > We are running FreeIPA 4.4 and Windows Server 2012 R2 > > When setting up the trust we needed to modify /etc/hosts as described in > https://bugzilla.redhat.com/show_bug.cgi?id=878168 Since the trust is two-way, can you kinit using the system keytab and try searching the AD DC? e.g. kinit -k ldapsearch -Y GSSAPI -H ldap://your.ad.dc -s base -b "" that should return the rootDSE and give you the ldap/your.ad.dc ticket in the process if the trust works OK.. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org