Re: [Freeipa-users] Error trying to use trusted AD objects: trusted domain object not found
On 2017/5/14 04:19, Alexander Bokovoy wrote: > On su, 14 touko 2017, Patrick Hemmer wrote: >> I'm working on spinning up a FreeIPA server with an AD trust. I've >> followed the official guide >> (https://www.freeipa.org/page/Active_Directory_trust_setup), and >> everything works up to the point of trying to add external members to >> the group. Whenever I try I get: >> >> # ipa group-add-member ad_admins_external --external 'CHEWY\Domain >> Admins' >> [member user]: >> [member group]: >> Group name: ad_admins_external >> Description: ad_domain admins external map >> Failed members: >>member user: >>member group: CHEWY\Domain Admins: trusted domain object not found >> - >> Number of members added 0 >> - >> >> >> I turned up the debugging to 100, re-established the trust, and tried to >> perform the group-add-member again. Logs have uploaded the logs here: >> https://s3.amazonaws.com/phemmer-misc/freeipa-logs.tar.gz >> I'm just testing the procedure on a couple local development VMs, so >> there's nothing sensitive in there. >> >> Confusingly, according to the httpd log the operation was successful: >> [Sun May 14 01:49:24.171867 2017] [:error] [pid 23688] ipa: INFO: >> [jsonserver_session] admin@LOCAL: >> group_add_member/1(u'ad_admins_external', >> ipaexternalmember=(u'CHEWYDomain Admins',), version=u'2.213'): >> SUCCESS >> >> I'm not sure where the issue here lies. So any insight would be >> appreciated. > > The issue is in your choice of IPA domain name: local. This is not going > to work with AD -- as you can see, there are subtle issues. Even though > AD DC accepts a trust to LOCAL forest, it cannot really operate it > internally, thus even looking up forest topology fails at the point when > IPA framework attempts to authenticate. See [1] for list of limitations > in pure Active Directory for single-label domains. > > [1] > https://support.microsoft.com/en-us/help/300684/deployment-and-operation-of-active-directory-domains-that-are-configured-by-using-single-label-dns-names > > We don't recommend using single-label DNS configurations. Even in a lab > environment they are source of various issues. > Thanks, switching to a second level domain did indeed solve the issue. -Patrick -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Error trying to use trusted AD objects: trusted domain object not found
On su, 14 touko 2017, Patrick Hemmer wrote: I'm working on spinning up a FreeIPA server with an AD trust. I've followed the official guide (https://www.freeipa.org/page/Active_Directory_trust_setup), and everything works up to the point of trying to add external members to the group. Whenever I try I get: # ipa group-add-member ad_admins_external --external 'CHEWY\Domain Admins' [member user]: [member group]: Group name: ad_admins_external Description: ad_domain admins external map Failed members: member user: member group: CHEWY\Domain Admins: trusted domain object not found - Number of members added 0 - I turned up the debugging to 100, re-established the trust, and tried to perform the group-add-member again. Logs have uploaded the logs here: https://s3.amazonaws.com/phemmer-misc/freeipa-logs.tar.gz I'm just testing the procedure on a couple local development VMs, so there's nothing sensitive in there. Confusingly, according to the httpd log the operation was successful: [Sun May 14 01:49:24.171867 2017] [:error] [pid 23688] ipa: INFO: [jsonserver_session] admin@LOCAL: group_add_member/1(u'ad_admins_external', ipaexternalmember=(u'CHEWYDomain Admins',), version=u'2.213'): SUCCESS I'm not sure where the issue here lies. So any insight would be appreciated. The issue is in your choice of IPA domain name: local. This is not going to work with AD -- as you can see, there are subtle issues. Even though AD DC accepts a trust to LOCAL forest, it cannot really operate it internally, thus even looking up forest topology fails at the point when IPA framework attempts to authenticate. See [1] for list of limitations in pure Active Directory for single-label domains. [1] https://support.microsoft.com/en-us/help/300684/deployment-and-operation-of-active-directory-domains-that-are-configured-by-using-single-label-dns-names We don't recommend using single-label DNS configurations. Even in a lab environment they are source of various issues. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Error trying to use trusted AD objects: trusted domain object not found
I'm working on spinning up a FreeIPA server with an AD trust. I've followed the official guide (https://www.freeipa.org/page/Active_Directory_trust_setup), and everything works up to the point of trying to add external members to the group. Whenever I try I get: # ipa group-add-member ad_admins_external --external 'CHEWY\Domain Admins' [member user]: [member group]: Group name: ad_admins_external Description: ad_domain admins external map Failed members: member user: member group: CHEWY\Domain Admins: trusted domain object not found - Number of members added 0 - I turned up the debugging to 100, re-established the trust, and tried to perform the group-add-member again. Logs have uploaded the logs here: https://s3.amazonaws.com/phemmer-misc/freeipa-logs.tar.gz I'm just testing the procedure on a couple local development VMs, so there's nothing sensitive in there. Confusingly, according to the httpd log the operation was successful: [Sun May 14 01:49:24.171867 2017] [:error] [pid 23688] ipa: INFO: [jsonserver_session] admin@LOCAL: group_add_member/1(u'ad_admins_external', ipaexternalmember=(u'CHEWYDomain Admins',), version=u'2.213'): SUCCESS I'm not sure where the issue here lies. So any insight would be appreciated. This is with: CentOS/7 7.3.1611 FreeIPA 4.4.0 AD is Windows Server 2008 R2 -Patrick -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
