subject:"\[Freeipa\-users\] Trust is successful and getting error while creating groups."

Re: [Freeipa-users] Trust is successful and getting error while creating groups.

2015-03-04 Thread Ben .T.George

HI Alex

Oops sorry.

actually i have 2 servers which hostname looks like same kwtpocpbis01 and
kwtpocpbis02

i was trying on wrong server.

now it's working on actual server:

*[root@kwtpocpbis01 ~]# ipa group-add-member ad_admins_external --external
'INFRA\Domain Admins'*
*[member user]:*
*[member group]:*
*  Group name: ad_admins_external*
*  Description: infra.com  admins external map*
*  External member: S-1-5-21-191287045-4012216658-3592112898-512*
*-*
*Number of members added 1*

*-*
*[root@kwtpocpbis01 ~]# ipa group-add-member ad_admins_external --external
'INFRA\Domain Users'*
*[member user]:*
*[member group]:*
*  Group name: ad_admins_external*
*  Description: infra.com  admins external map*
*  External member: S-1-5-21-191287045-4012216658-3592112898-512,
S-1-5-21-191287045-4012216658-3592112898-513*
*-*
*Number of members added 1*


how can i fetch AD user on command line on IPA server to check the
communication?

Regards
Ben

On Thu, Mar 5, 2015 at 10:05 AM, Alexander Bokovoy 
wrote:

> On Thu, 05 Mar 2015, Ben .T.George wrote:
>
>> Hi Alexander,
>>
>> can you please give me clue what will be error message
>>
>> "member group: KWTTESTDC\Domain Admins: invalid 'trusted domain object':
>> no
>> trusted domain matched the specified flat name"
>>
> So what are the domains your IPA reports as trusted?
>
> ipa trustdomain-find
>
> Because you are talking about KWTTESTDC -- is this a domain's NetBIOS
> name? It looks to me it is your AD DC's name, not the domain's.
>
>
>> Regards,
>> Ben
>>
>> On Thu, Mar 5, 2015 at 9:35 AM, Ben .T.George 
>> wrote:
>>
>>  HI
>>>
>>> sorry ntp was stopped. now time is in sync. rebooted machine
>>>
>>> buy process is not going through
>>>
>>> *[root@kwtpocpbis01 ~]# ipa group-add-member ad_admins_external
>>> --external
>>> 'ad_netbios\Domain Admins'*
>>> *[member user]:*
>>> *[member group]:*
>>> *  Group name: ad_admins_external*
>>> *  Description: infra.com  admins external map*
>>> *  Failed members:*
>>> *member user:*
>>> *member group: ad_netbios\Domain Admins: invalid 'trusted domain
>>> object': no trusted domain matched the specified flat name*
>>> *-*
>>> *Number of members added 0*
>>>
>>> *-*
>>> *[root@kwtpocpbis01 ~]# ipa group-add-member ad_admins_external
>>> --external
>>> 'ad_netbios\Domain Users'*
>>> *[member user]:*
>>> *[member group]:*
>>> *  Group name: ad_admins_external*
>>> *  Description: infra.com  admins external map*
>>> *  Failed members:*
>>> *member user:*
>>> *member group: ad_netbios\Domain Users: invalid 'trusted domain
>>> object': no trusted domain matched the specified flat name*
>>>
>>> *-*
>>> *Number of members added 0*
>>> *-*
>>>
>>> And the error message on error_log is :
>>>
>>> [Thu Mar 05 09:31:50.146154 2015] [:error] [pid 2101] ipa: INFO:
>>> [jsonserver_kerb] admin@SOLARIS.LOCAL:
>>> group_add_member(u'ad_admins_external',
>>> ipaexternalmember=(u'ad_netbiosDomain Admins',), all=False,
>>> raw=False,
>>> version=u'2.113', no_members=False): SUCCESS
>>>
>>> [Thu Mar 05 09:32:15.761885 2015] [:error] [pid 2101] ipa: INFO:
>>> [jsonserver_kerb] admin@SOLARIS.LOCAL:
>>> group_add_member(u'ad_admins_external',
>>> ipaexternalmember=(u'ad_netbiosDomain Users',), all=False,
>>> raw=False,
>>> version=u'2.113', no_members=False): SUCCESS
>>>
>>>
>>>
>>> On Thu, Mar 5, 2015 at 8:52 AM, Alexander Bokovoy 
>>> wrote:
>>>
>>>  On Thu, 05 Mar 2015, Ben .T.George wrote:

  Hi
>
> i have re-installed everything . my current versions are Centos 7 with
> IPA
> 4.1
>
> i followed this tutorial:
> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup
>
> when i fetch , it went successful:
>
> *[root@kwtpocpbis01 ~]# ipa trustdomain-find "infra.com <
> http://infra.com>"*
> *  Domain name: infra.com *
> *  Domain NetBIOS name: INFRA*
> *  Domain Security Identifier: S-1-5-21-191287045-4012216658-
> 3592112898*
> *  Domain enabled: True*
> **
> *Number of entries returned 1*
> **
> *[root@kwtpocpbis01 ~]# ipa trustdomain-find "infra.com <
> http://infra.com>"*
> *  Domain name: infra.com *
> *  Domain NetBIOS name: INFRA*
> *  Domain Security Identifier: S-1-5-21-191287045-4012216658-
> 3592112898*
> *  Domain enabled: True*
> **
> *Number of entries returned 1*
> **
>
> when i gone through "Allow access for users from AD domain to protected
> resources", i am getting errors,
>
>
> *[root@kwtpocpbis01 ~]# ipa group-add --desc='infra.com <
> http://infra.com>
> users externa

Re: [Freeipa-users] Trust is successful and getting error while creating groups.

2015-03-04 Thread Alexander Bokovoy


On Thu, 05 Mar 2015, Ben .T.George wrote:

Hi Alexander,

can you please give me clue what will be error message

"member group: KWTTESTDC\Domain Admins: invalid 'trusted domain object': no
trusted domain matched the specified flat name"

So what are the domains your IPA reports as trusted?

ipa trustdomain-find

Because you are talking about KWTTESTDC -- is this a domain's NetBIOS
name? It looks to me it is your AD DC's name, not the domain's.



Regards,
Ben

On Thu, Mar 5, 2015 at 9:35 AM, Ben .T.George  wrote:


HI

sorry ntp was stopped. now time is in sync. rebooted machine

buy process is not going through

*[root@kwtpocpbis01 ~]# ipa group-add-member ad_admins_external --external
'ad_netbios\Domain Admins'*
*[member user]:*
*[member group]:*
*  Group name: ad_admins_external*
*  Description: infra.com  admins external map*
*  Failed members:*
*member user:*
*member group: ad_netbios\Domain Admins: invalid 'trusted domain
object': no trusted domain matched the specified flat name*
*-*
*Number of members added 0*

*-*
*[root@kwtpocpbis01 ~]# ipa group-add-member ad_admins_external --external
'ad_netbios\Domain Users'*
*[member user]:*
*[member group]:*
*  Group name: ad_admins_external*
*  Description: infra.com  admins external map*
*  Failed members:*
*member user:*
*member group: ad_netbios\Domain Users: invalid 'trusted domain
object': no trusted domain matched the specified flat name*
*-*
*Number of members added 0*
*-*

And the error message on error_log is :

[Thu Mar 05 09:31:50.146154 2015] [:error] [pid 2101] ipa: INFO:
[jsonserver_kerb] admin@SOLARIS.LOCAL:
group_add_member(u'ad_admins_external',
ipaexternalmember=(u'ad_netbiosDomain Admins',), all=False, raw=False,
version=u'2.113', no_members=False): SUCCESS

[Thu Mar 05 09:32:15.761885 2015] [:error] [pid 2101] ipa: INFO:
[jsonserver_kerb] admin@SOLARIS.LOCAL:
group_add_member(u'ad_admins_external',
ipaexternalmember=(u'ad_netbiosDomain Users',), all=False, raw=False,
version=u'2.113', no_members=False): SUCCESS



On Thu, Mar 5, 2015 at 8:52 AM, Alexander Bokovoy 
wrote:


On Thu, 05 Mar 2015, Ben .T.George wrote:


Hi

i have re-installed everything . my current versions are Centos 7 with
IPA
4.1

i followed this tutorial:
http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup

when i fetch , it went successful:

*[root@kwtpocpbis01 ~]# ipa trustdomain-find "infra.com <
http://infra.com>"*
*  Domain name: infra.com *
*  Domain NetBIOS name: INFRA*
*  Domain Security Identifier: S-1-5-21-191287045-4012216658-3592112898*
*  Domain enabled: True*
**
*Number of entries returned 1*
**
*[root@kwtpocpbis01 ~]# ipa trustdomain-find "infra.com <
http://infra.com>"*
*  Domain name: infra.com *
*  Domain NetBIOS name: INFRA*
*  Domain Security Identifier: S-1-5-21-191287045-4012216658-3592112898*
*  Domain enabled: True*
**
*Number of entries returned 1*
**

when i gone through "Allow access for users from AD domain to protected
resources", i am getting errors,


*[root@kwtpocpbis01 ~]# ipa group-add --desc='infra.com <
http://infra.com>
users external map' ad_users_external --external*
*---*
*Added group "ad_users_external"*
*---*
*  Group name: ad_users_external*
*  Description: infra.com  users external map*

*[root@kwtpocpbis01 ~]# ipa group-add --desc='infra.com <
http://infra.com>
users' ad_users*
*--*
*Added group "ad_users"*
*--*
*  Group name: ad_users*
*  Description: infra.com  users*
*  GID: 64345*

*[root@kwtpocpbis01 ~]# ipa group-add-member ad_users_external
--external
'INFRA\Domain Users'*
*[member user]:*
*[member group]:*
*  Group name: ad_users_external*
*  Description: infra.com  users external map*
*  Failed members:*
*member user:*
*member group: INFRA\Domain Users: trusted domain object not found*
*-*
*Number of members added 0*
*-*

*[root@kwtpocpbis01 ~]# ipa group-add-member ad_users --groups
ad_users_external*
*  Group name: ad_users*
*  Description: infra.com  users*
*  GID: 64345*
*  Member groups: ad_users_external*
*-*
*Number of members added 1*
*-*

please help me to solve this issue:

below error is getting on httpd/error_log while trying : *ipa
group-add-member ad_users_external --external 'INFRA\Domain Users'*

*[Thu Mar 05 11:36:37.371594 2015] [:error] [pid 4090] ipa: WARNING:
Search
on AD DC kwtipaad001.infra.com:3268 
failed with: Insufficient access: SASL(-1): generic failure: GSSAPI
Error:
Unspec

Re: [Freeipa-users] Trust is successful and getting error while creating groups.

2015-03-04 Thread Ben .T.George

Hi Alexander,

can you please give me clue what will be error message

"member group: KWTTESTDC\Domain Admins: invalid 'trusted domain object': no
trusted domain matched the specified flat name"

Regards,
Ben

On Thu, Mar 5, 2015 at 9:35 AM, Ben .T.George  wrote:

> HI
>
> sorry ntp was stopped. now time is in sync. rebooted machine
>
> buy process is not going through
>
> *[root@kwtpocpbis01 ~]# ipa group-add-member ad_admins_external --external
> 'ad_netbios\Domain Admins'*
> *[member user]:*
> *[member group]:*
> *  Group name: ad_admins_external*
> *  Description: infra.com  admins external map*
> *  Failed members:*
> *member user:*
> *member group: ad_netbios\Domain Admins: invalid 'trusted domain
> object': no trusted domain matched the specified flat name*
> *-*
> *Number of members added 0*
>
> *-*
> *[root@kwtpocpbis01 ~]# ipa group-add-member ad_admins_external --external
> 'ad_netbios\Domain Users'*
> *[member user]:*
> *[member group]:*
> *  Group name: ad_admins_external*
> *  Description: infra.com  admins external map*
> *  Failed members:*
> *member user:*
> *member group: ad_netbios\Domain Users: invalid 'trusted domain
> object': no trusted domain matched the specified flat name*
> *-*
> *Number of members added 0*
> *-*
>
> And the error message on error_log is :
>
> [Thu Mar 05 09:31:50.146154 2015] [:error] [pid 2101] ipa: INFO:
> [jsonserver_kerb] admin@SOLARIS.LOCAL:
> group_add_member(u'ad_admins_external',
> ipaexternalmember=(u'ad_netbiosDomain Admins',), all=False, raw=False,
> version=u'2.113', no_members=False): SUCCESS
>
> [Thu Mar 05 09:32:15.761885 2015] [:error] [pid 2101] ipa: INFO:
> [jsonserver_kerb] admin@SOLARIS.LOCAL:
> group_add_member(u'ad_admins_external',
> ipaexternalmember=(u'ad_netbiosDomain Users',), all=False, raw=False,
> version=u'2.113', no_members=False): SUCCESS
>
>
>
> On Thu, Mar 5, 2015 at 8:52 AM, Alexander Bokovoy 
> wrote:
>
>> On Thu, 05 Mar 2015, Ben .T.George wrote:
>>
>>> Hi
>>>
>>> i have re-installed everything . my current versions are Centos 7 with
>>> IPA
>>> 4.1
>>>
>>> i followed this tutorial:
>>> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup
>>>
>>> when i fetch , it went successful:
>>>
>>> *[root@kwtpocpbis01 ~]# ipa trustdomain-find "infra.com <
>>> http://infra.com>"*
>>> *  Domain name: infra.com *
>>> *  Domain NetBIOS name: INFRA*
>>> *  Domain Security Identifier: S-1-5-21-191287045-4012216658-3592112898*
>>> *  Domain enabled: True*
>>> **
>>> *Number of entries returned 1*
>>> **
>>> *[root@kwtpocpbis01 ~]# ipa trustdomain-find "infra.com <
>>> http://infra.com>"*
>>> *  Domain name: infra.com *
>>> *  Domain NetBIOS name: INFRA*
>>> *  Domain Security Identifier: S-1-5-21-191287045-4012216658-3592112898*
>>> *  Domain enabled: True*
>>> **
>>> *Number of entries returned 1*
>>> **
>>>
>>> when i gone through "Allow access for users from AD domain to protected
>>> resources", i am getting errors,
>>>
>>>
>>> *[root@kwtpocpbis01 ~]# ipa group-add --desc='infra.com <
>>> http://infra.com>
>>> users external map' ad_users_external --external*
>>> *---*
>>> *Added group "ad_users_external"*
>>> *---*
>>> *  Group name: ad_users_external*
>>> *  Description: infra.com  users external map*
>>>
>>> *[root@kwtpocpbis01 ~]# ipa group-add --desc='infra.com <
>>> http://infra.com>
>>> users' ad_users*
>>> *--*
>>> *Added group "ad_users"*
>>> *--*
>>> *  Group name: ad_users*
>>> *  Description: infra.com  users*
>>> *  GID: 64345*
>>>
>>> *[root@kwtpocpbis01 ~]# ipa group-add-member ad_users_external
>>> --external
>>> 'INFRA\Domain Users'*
>>> *[member user]:*
>>> *[member group]:*
>>> *  Group name: ad_users_external*
>>> *  Description: infra.com  users external map*
>>> *  Failed members:*
>>> *member user:*
>>> *member group: INFRA\Domain Users: trusted domain object not found*
>>> *-*
>>> *Number of members added 0*
>>> *-*
>>>
>>> *[root@kwtpocpbis01 ~]# ipa group-add-member ad_users --groups
>>> ad_users_external*
>>> *  Group name: ad_users*
>>> *  Description: infra.com  users*
>>> *  GID: 64345*
>>> *  Member groups: ad_users_external*
>>> *-*
>>> *Number of members added 1*
>>> *-*
>>>
>>> please help me to solve this issue:
>>>
>>> below error is getting on httpd/error_log while trying : *ipa
>>> group-add-member ad_users_external --external 'INFRA\Domain Users'*
>>>
>>> *[Thu Mar 05 11:36:37.371594 2015] [:error] [pid 4090] ipa: WARNING:
>

Re: [Freeipa-users] Trust is successful and getting error while creating groups.

2015-03-04 Thread Ben .T.George

HI

sorry ntp was stopped. now time is in sync. rebooted machine

buy process is not going through

*[root@kwtpocpbis01 ~]# ipa group-add-member ad_admins_external --external
'ad_netbios\Domain Admins'*
*[member user]:*
*[member group]:*
*  Group name: ad_admins_external*
*  Description: infra.com  admins external map*
*  Failed members:*
*member user:*
*member group: ad_netbios\Domain Admins: invalid 'trusted domain
object': no trusted domain matched the specified flat name*
*-*
*Number of members added 0*

*-*
*[root@kwtpocpbis01 ~]# ipa group-add-member ad_admins_external --external
'ad_netbios\Domain Users'*
*[member user]:*
*[member group]:*
*  Group name: ad_admins_external*
*  Description: infra.com  admins external map*
*  Failed members:*
*member user:*
*member group: ad_netbios\Domain Users: invalid 'trusted domain
object': no trusted domain matched the specified flat name*
*-*
*Number of members added 0*
*-*

And the error message on error_log is :

[Thu Mar 05 09:31:50.146154 2015] [:error] [pid 2101] ipa: INFO:
[jsonserver_kerb] admin@SOLARIS.LOCAL:
group_add_member(u'ad_admins_external',
ipaexternalmember=(u'ad_netbiosDomain Admins',), all=False, raw=False,
version=u'2.113', no_members=False): SUCCESS

[Thu Mar 05 09:32:15.761885 2015] [:error] [pid 2101] ipa: INFO:
[jsonserver_kerb] admin@SOLARIS.LOCAL:
group_add_member(u'ad_admins_external',
ipaexternalmember=(u'ad_netbiosDomain Users',), all=False, raw=False,
version=u'2.113', no_members=False): SUCCESS



On Thu, Mar 5, 2015 at 8:52 AM, Alexander Bokovoy 
wrote:

> On Thu, 05 Mar 2015, Ben .T.George wrote:
>
>> Hi
>>
>> i have re-installed everything . my current versions are Centos 7 with IPA
>> 4.1
>>
>> i followed this tutorial:
>> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup
>>
>> when i fetch , it went successful:
>>
>> *[root@kwtpocpbis01 ~]# ipa trustdomain-find "infra.com > >"*
>> *  Domain name: infra.com *
>> *  Domain NetBIOS name: INFRA*
>> *  Domain Security Identifier: S-1-5-21-191287045-4012216658-3592112898*
>> *  Domain enabled: True*
>> **
>> *Number of entries returned 1*
>> **
>> *[root@kwtpocpbis01 ~]# ipa trustdomain-find "infra.com > >"*
>> *  Domain name: infra.com *
>> *  Domain NetBIOS name: INFRA*
>> *  Domain Security Identifier: S-1-5-21-191287045-4012216658-3592112898*
>> *  Domain enabled: True*
>> **
>> *Number of entries returned 1*
>> **
>>
>> when i gone through "Allow access for users from AD domain to protected
>> resources", i am getting errors,
>>
>>
>> *[root@kwtpocpbis01 ~]# ipa group-add --desc='infra.com > >
>> users external map' ad_users_external --external*
>> *---*
>> *Added group "ad_users_external"*
>> *---*
>> *  Group name: ad_users_external*
>> *  Description: infra.com  users external map*
>>
>> *[root@kwtpocpbis01 ~]# ipa group-add --desc='infra.com > >
>> users' ad_users*
>> *--*
>> *Added group "ad_users"*
>> *--*
>> *  Group name: ad_users*
>> *  Description: infra.com  users*
>> *  GID: 64345*
>>
>> *[root@kwtpocpbis01 ~]# ipa group-add-member ad_users_external --external
>> 'INFRA\Domain Users'*
>> *[member user]:*
>> *[member group]:*
>> *  Group name: ad_users_external*
>> *  Description: infra.com  users external map*
>> *  Failed members:*
>> *member user:*
>> *member group: INFRA\Domain Users: trusted domain object not found*
>> *-*
>> *Number of members added 0*
>> *-*
>>
>> *[root@kwtpocpbis01 ~]# ipa group-add-member ad_users --groups
>> ad_users_external*
>> *  Group name: ad_users*
>> *  Description: infra.com  users*
>> *  GID: 64345*
>> *  Member groups: ad_users_external*
>> *-*
>> *Number of members added 1*
>> *-*
>>
>> please help me to solve this issue:
>>
>> below error is getting on httpd/error_log while trying : *ipa
>> group-add-member ad_users_external --external 'INFRA\Domain Users'*
>>
>> *[Thu Mar 05 11:36:37.371594 2015] [:error] [pid 4090] ipa: WARNING:
>> Search
>> on AD DC kwtipaad001.infra.com:3268 
>> failed with: Insufficient access: SASL(-1): generic failure: GSSAPI Error:
>> Unspecified GSS failure.  Minor code may provide more information (Ticket
>> not yet valid)*
>> *[Thu Mar 05 11:36:37.374280 2015] [:error] [pid 4090] ipa: INFO:
>> [jsonserver_kerb] admin@SOLARIS.LOCAL:
>> group_add_member(u'ad_users_external', ipaexternalmember=(u'INFRA
>> Domain

Re: [Freeipa-users] Trust is successful and getting error while creating groups.

2015-03-04 Thread Alexander Bokovoy


On Thu, 05 Mar 2015, Ben .T.George wrote:

Hi

i have re-installed everything . my current versions are Centos 7 with IPA
4.1

i followed this tutorial:
http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup

when i fetch , it went successful:

*[root@kwtpocpbis01 ~]# ipa trustdomain-find "infra.com "*
*  Domain name: infra.com *
*  Domain NetBIOS name: INFRA*
*  Domain Security Identifier: S-1-5-21-191287045-4012216658-3592112898*
*  Domain enabled: True*
**
*Number of entries returned 1*
**
*[root@kwtpocpbis01 ~]# ipa trustdomain-find "infra.com "*
*  Domain name: infra.com *
*  Domain NetBIOS name: INFRA*
*  Domain Security Identifier: S-1-5-21-191287045-4012216658-3592112898*
*  Domain enabled: True*
**
*Number of entries returned 1*
**

when i gone through "Allow access for users from AD domain to protected
resources", i am getting errors,


*[root@kwtpocpbis01 ~]# ipa group-add --desc='infra.com 
users external map' ad_users_external --external*
*---*
*Added group "ad_users_external"*
*---*
*  Group name: ad_users_external*
*  Description: infra.com  users external map*

*[root@kwtpocpbis01 ~]# ipa group-add --desc='infra.com 
users' ad_users*
*--*
*Added group "ad_users"*
*--*
*  Group name: ad_users*
*  Description: infra.com  users*
*  GID: 64345*

*[root@kwtpocpbis01 ~]# ipa group-add-member ad_users_external --external
'INFRA\Domain Users'*
*[member user]:*
*[member group]:*
*  Group name: ad_users_external*
*  Description: infra.com  users external map*
*  Failed members:*
*member user:*
*member group: INFRA\Domain Users: trusted domain object not found*
*-*
*Number of members added 0*
*-*

*[root@kwtpocpbis01 ~]# ipa group-add-member ad_users --groups
ad_users_external*
*  Group name: ad_users*
*  Description: infra.com  users*
*  GID: 64345*
*  Member groups: ad_users_external*
*-*
*Number of members added 1*
*-*

please help me to solve this issue:

below error is getting on httpd/error_log while trying : *ipa
group-add-member ad_users_external --external 'INFRA\Domain Users'*

*[Thu Mar 05 11:36:37.371594 2015] [:error] [pid 4090] ipa: WARNING: Search
on AD DC kwtipaad001.infra.com:3268 
failed with: Insufficient access: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure.  Minor code may provide more information (Ticket
not yet valid)*
*[Thu Mar 05 11:36:37.374280 2015] [:error] [pid 4090] ipa: INFO:
[jsonserver_kerb] admin@SOLARIS.LOCAL:
group_add_member(u'ad_users_external', ipaexternalmember=(u'INFRADomain
Users',), all=False, raw=False, version=u'2.113', no_members=False):
SUCCESS*

OK, "Ticket not yet valid" is time synchronization issue -- AD DC has
time behind IPA DC. Check time and time zone settings.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] Trust is successful and getting error while creating groups.

2015-03-04 Thread Ben .T.George

Hi

i have re-installed everything . my current versions are Centos 7 with IPA
4.1

i followed this tutorial:
http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup

when i fetch , it went successful:

*[root@kwtpocpbis01 ~]# ipa trustdomain-find "infra.com "*
*  Domain name: infra.com *
*  Domain NetBIOS name: INFRA*
*  Domain Security Identifier: S-1-5-21-191287045-4012216658-3592112898*
*  Domain enabled: True*
**
*Number of entries returned 1*
**
*[root@kwtpocpbis01 ~]# ipa trustdomain-find "infra.com "*
*  Domain name: infra.com *
*  Domain NetBIOS name: INFRA*
*  Domain Security Identifier: S-1-5-21-191287045-4012216658-3592112898*
*  Domain enabled: True*
**
*Number of entries returned 1*
**

when i gone through "Allow access for users from AD domain to protected
resources", i am getting errors,


*[root@kwtpocpbis01 ~]# ipa group-add --desc='infra.com 
users external map' ad_users_external --external*
*---*
*Added group "ad_users_external"*
*---*
*  Group name: ad_users_external*
*  Description: infra.com  users external map*

*[root@kwtpocpbis01 ~]# ipa group-add --desc='infra.com 
users' ad_users*
*--*
*Added group "ad_users"*
*--*
*  Group name: ad_users*
*  Description: infra.com  users*
*  GID: 64345*

*[root@kwtpocpbis01 ~]# ipa group-add-member ad_users_external --external
'INFRA\Domain Users'*
*[member user]:*
*[member group]:*
*  Group name: ad_users_external*
*  Description: infra.com  users external map*
*  Failed members:*
*member user:*
*member group: INFRA\Domain Users: trusted domain object not found*
*-*
*Number of members added 0*
*-*

*[root@kwtpocpbis01 ~]# ipa group-add-member ad_users --groups
ad_users_external*
*  Group name: ad_users*
*  Description: infra.com  users*
*  GID: 64345*
*  Member groups: ad_users_external*
*-*
*Number of members added 1*
*-*

please help me to solve this issue:

below error is getting on httpd/error_log while trying : *ipa
group-add-member ad_users_external --external 'INFRA\Domain Users'*

*[Thu Mar 05 11:36:37.371594 2015] [:error] [pid 4090] ipa: WARNING: Search
on AD DC kwtipaad001.infra.com:3268 
failed with: Insufficient access: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure.  Minor code may provide more information (Ticket
not yet valid)*
*[Thu Mar 05 11:36:37.374280 2015] [:error] [pid 4090] ipa: INFO:
[jsonserver_kerb] admin@SOLARIS.LOCAL:
group_add_member(u'ad_users_external', ipaexternalmember=(u'INFRADomain
Users',), all=False, raw=False, version=u'2.113', no_members=False):
SUCCESS*

Thanks & Regards,
Ben
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Trust is successful and getting error while creating groups.

Re: [Freeipa-users] Trust is successful and getting error while creating groups.

Re: [Freeipa-users] Trust is successful and getting error while creating groups.

Re: [Freeipa-users] Trust is successful and getting error while creating groups.

Re: [Freeipa-users] Trust is successful and getting error while creating groups.

[Freeipa-users] Trust is successful and getting error while creating groups.

6 matches

Site Navigation

Mail list logo

Footer information