Re: [Freeipa-users] Unable to add external group
Alexander, forwarding sanitized files to you privately From: Alexander Bokovoy To: pgb205 Cc: "Freeipa-users@redhat.com" Sent: Tuesday, June 28, 2016 4:25 PM Subject: Re: [Freeipa-users] Unable to add external group On Tue, 28 Jun 2016, pgb205 wrote: >Trust is successfully established > >ipa trust-find---1 trust matched--- Realm name: >ad_domain.local Domain NetBIOS name: AD_DOMAIN >and I can get kerberos ticket and access to servicesKRB5_TRACE=/dev/stderr >kvno -S cifs ADDC.AD_DOMAIN >[3552] 1467143851.633980: Received creds for desired service >cifs/ADDC.AD_DOMAIN[3552] 1467143851.634008: Storing my_user@AD_DOMAIN -> >cifs/ADDC@AD_DOMAIN in >KEYRING:persistent:0:krb_ccache_02UjQwjcifs/ADDC.AD_DOMAIN: kvno = 29 >time is also correct and matches on both ipa and Domain Controller >When I go with the last few steps to add external AD group to the IPA >--external I get the followingipa group-add-member ad_domain_admins_external >--external 'AD_DOMAIN\Ops_Admins'[member user]:[member group]: Group name: >ad_domain_admins_external Description: ad_domain_admins external map Failed >members: member user: member group: AD_DOMAIN\Ops_Admins: trusted domain >object not found-Number of members added 0 >I have verified the Ops_Admins is readable by everyone in Active Directory. >In error_log I get >[:error] [pid 2619] ipa: INFO: [jsonserver_session] admin@IPA_DOMAIN: >group_add_member(u'ad_domain_admins_external', >ipaexternalmember=(u'AD_DOMAINOps_Admins',), all=False, raw=False, >version=u'2.156', no_members=False): SUCCESS >Any idea on what steps I'm missing or what other things to check ? If you have "trusted domain object not found", this means you don't really have trust established correctly. Unfortunately, sometimes we cannot get proper error message back to the user as Samba Python bindings don't give us much details. See http://www.freeipa.org/page/Active_Directory_trust_setup#Debugging_trust on how to generate proper debug logs for trust to see what is there. You kvno output is of no use -- obviously AD user would be able to obtain a ticket to AD DC's service, this is not a surprise. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Unable to add external group
On Tue, 28 Jun 2016, pgb205 wrote: Trust is successfully established ipa trust-find---1 trust matched--- Realm name: ad_domain.local Domain NetBIOS name: AD_DOMAIN and I can get kerberos ticket and access to servicesKRB5_TRACE=/dev/stderr kvno -S cifs ADDC.AD_DOMAIN [3552] 1467143851.633980: Received creds for desired service cifs/ADDC.AD_DOMAIN[3552] 1467143851.634008: Storing my_user@AD_DOMAIN -> cifs/ADDC@AD_DOMAIN in KEYRING:persistent:0:krb_ccache_02UjQwjcifs/ADDC.AD_DOMAIN: kvno = 29 time is also correct and matches on both ipa and Domain Controller When I go with the last few steps to add external AD group to the IPA --external I get the followingipa group-add-member ad_domain_admins_external --external 'AD_DOMAIN\Ops_Admins'[member user]:[member group]: Group name: ad_domain_admins_external Description: ad_domain_admins external map Failed members: member user: member group: AD_DOMAIN\Ops_Admins: trusted domain object not found-Number of members added 0 I have verified the Ops_Admins is readable by everyone in Active Directory. In error_log I get [:error] [pid 2619] ipa: INFO: [jsonserver_session] admin@IPA_DOMAIN: group_add_member(u'ad_domain_admins_external', ipaexternalmember=(u'AD_DOMAINOps_Admins',), all=False, raw=False, version=u'2.156', no_members=False): SUCCESS Any idea on what steps I'm missing or what other things to check ? If you have "trusted domain object not found", this means you don't really have trust established correctly. Unfortunately, sometimes we cannot get proper error message back to the user as Samba Python bindings don't give us much details. See http://www.freeipa.org/page/Active_Directory_trust_setup#Debugging_trust on how to generate proper debug logs for trust to see what is there. You kvno output is of no use -- obviously AD user would be able to obtain a ticket to AD DC's service, this is not a surprise. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Unable to add external group
Trust is successfully established ipa trust-find---1 trust matched--- Realm name: ad_domain.local Domain NetBIOS name: AD_DOMAIN and I can get kerberos ticket and access to servicesKRB5_TRACE=/dev/stderr kvno -S cifs ADDC.AD_DOMAIN [3552] 1467143851.633980: Received creds for desired service cifs/ADDC.AD_DOMAIN[3552] 1467143851.634008: Storing my_user@AD_DOMAIN -> cifs/ADDC@AD_DOMAIN in KEYRING:persistent:0:krb_ccache_02UjQwjcifs/ADDC.AD_DOMAIN: kvno = 29 time is also correct and matches on both ipa and Domain Controller When I go with the last few steps to add external AD group to the IPA --external I get the followingipa group-add-member ad_domain_admins_external --external 'AD_DOMAIN\Ops_Admins'[member user]:[member group]: Group name: ad_domain_admins_external Description: ad_domain_admins external map Failed members: member user: member group: AD_DOMAIN\Ops_Admins: trusted domain object not found-Number of members added 0 I have verified the Ops_Admins is readable by everyone in Active Directory. In error_log I get [:error] [pid 2619] ipa: INFO: [jsonserver_session] admin@IPA_DOMAIN: group_add_member(u'ad_domain_admins_external', ipaexternalmember=(u'AD_DOMAINOps_Admins',), all=False, raw=False, version=u'2.156', no_members=False): SUCCESS Any idea on what steps I'm missing or what other things to check ? thanks-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project