On ma, 11 joulu 2017, Henrik Johansson via FreeIPA-users wrote:
On 11 Dec 2017, at 16:04, Alexander Bokovoy via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
On ma, 11 joulu 2017, Henrik Johansson via FreeIPA-users wrote:
Hi again,
I have generated debug, both in samba and in sssd and attached the log files. From what I can see from the sssd-logfile we are talkin to the AD domain but does not find any groups? The rest for the debug files are from the whole session including the trust-add. If you could have a quick look at it I would be grateful since pretty much stuck here.
Terminal output: # ipa -v trust-add --type=ad ad.test.net --admin aduser ipa: INFO: trying https://ipaserver.idm.test.net/ipa/session/json ipa: INFO: [try 1]: Forwarding 'schema' to json server 'https://ipaserver.idm.test.net/ipa/session/json' ipa: INFO: trying https://ipaserver.idm.test.net/ipa/session/json Active Directory domain administrator's password: ipa: INFO: [try 1]: Forwarding 'trust_add/1' to json server 'https://ipaserver.idm.test.net/ipa/session/json'
Added Active Directory trust for realm "ad.test.net"
Realm name: ad.test.net Domain NetBIOS name: AD Domain Security Identifier: S-1-6-42-491525448-2008367481-725548543 Trust direction: Trusting forest Trust type: Active Directory domain Trust status: Established and verified
# ipa trust-fetch-domains ad.test.net
List of trust domains successfully refreshed. Use trustdomain-find command to list them.
Number of entries returned 0
[root@ipaserver samba]# ipa trustdomain-find ad.test.net Domain name: ad.test.net Domain NetBIOS name: AD Domain Security Identifier: S-1-6-42-491525448-2008367481-725548543 Domain enabled: True
Domain name: corp.ad.test.net Domain NetBIOS name: CORP Domain Security Identifier: S-1-6-42-2417082233-1637723082-1916539915 Domain enabled: True
Number of entries returned 2
]# ipa -v group-add-member ad_users_external --external 'AD\Domain Users' ipa: INFO: trying https://ipaserver.idm.test.net/ipa/session/json [member user]: [member group]: ipa: INFO: [try 1]: Forwarding 'group_add_member/1' to json server 'https://ipaserver.idm.test.net/ipa/session/json' Group name: ad_users_external Description: AD users external map Failed members: member user: member group: AD\Domain Users: trusted domain object not found
Number of members added 0
Did you try with a different group/user? Because Domain Users is a bit special group in AD, it is Domain Global group. Your logs show that a search done by SSSD against AD DC does not end up with any 'cn=domain users' result.
Yes, i’ve tried with a few groups and the user I am using to create the trust witch, no luck.
Is there any additional policy applied on AD side that prevents a TDO to access information about AD users/groups?
Something like https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... ?