Hi:
I am trying to finish my integration of FreeIPA with Active Directory, but when I try to add my group information it fails.
# ipa group-add-member ad_admins_external --external 'AD/Domain Admins' member group: AD\Domain Admins: trusted domain object not found
As far as I can tell, I have established a trust relationship between my IPA realm (ipa.mydomain.com) and my AD domain (ad.mydomain.com). If I run netdom query /d:AD.MYDOMAIN.COM TRUST I get:
<- ipa.mydomain.com Direct
I am assuming that the direction (<-) indicates that ipa trusts AD. From the other side, everything looks ok to me:
# ipa trustdomain-find AD.MYDOMAIN.COM Domain name: AD.MYDOMAIN.COM Domain NetBIOS name: AD Domain Security Identifier: S-1-5-21-3800000002-3276000039-3459556696 Domain enabled: True ---------------------------- Number of entries returned 1 ----------------------------
In troubleshooting this, I ran: # KRB5_TRACE=/dev/stderr kvno -S cifs ad.mydomain.com The last two lines were:
[16487] 1505918874.707116: TGS request result: -1765328377/Server cifs/ ad.mydomain.com@IPA.MYDOMAIN.COM not found in Kerberos database kvno: Server cifs/ad.mydomain.com@IPA.MYDOMAIN.COM not found in Kerberos database while getting credentials for cifs/ad.mydomain.com@IPA.MYDOMAIN.COM
This led me to try the following (based on a tutorial I found), but with no success:
# ipa service-add cifs/ad.mydomain.com@IPA.MYDOMAIN.COM --force ipa: ERROR: The host 'ad.mydomain.com' does not exist to add a service to.
I am running CentOS 7 with ipa 4.5; all AD servers are running server 2016. If anyone has any pointers which could help with this, I'd appreciate it.
Thanks!
Bob
On ke, 20 syys 2017, Bobby Jones via FreeIPA-users wrote:
Hi:
I am trying to finish my integration of FreeIPA with Active Directory, but when I try to add my group information it fails.
# ipa group-add-member ad_admins_external --external 'AD/Domain Admins' member group: AD\Domain Admins: trusted domain object not found
As far as I can tell, I have established a trust relationship between my IPA realm (ipa.mydomain.com) and my AD domain (ad.mydomain.com). If I run netdom query /d:AD.MYDOMAIN.COM TRUST I get:
<- ipa.mydomain.com Direct
I am assuming that the direction (<-) indicates that ipa trusts AD. From the other side, everything looks ok to me:
# ipa trustdomain-find AD.MYDOMAIN.COM Domain name: AD.MYDOMAIN.COM Domain NetBIOS name: AD Domain Security Identifier: S-1-5-21-3800000002-3276000039-3459556696 Domain enabled: True
Number of entries returned 1
In troubleshooting this, I ran: # KRB5_TRACE=/dev/stderr kvno -S cifs ad.mydomain.com
is it really ad.mydomain.com as a host name? What is your real AD domain? What is a real AD DC hostname?
The last two lines were:
[16487] 1505918874.707116: TGS request result: -1765328377/Server cifs/ ad.mydomain.com@IPA.MYDOMAIN.COM not found in Kerberos database kvno: Server cifs/ad.mydomain.com@IPA.MYDOMAIN.COM not found in Kerberos database while getting credentials for cifs/ad.mydomain.com@IPA.MYDOMAIN.COM
This means IPA KDC doesn't know that ad.mydomain.com belongs to realm AD.MYDOMAIN.COM. This should be suspicious.
Start from beginning.
How exactly did you establish the trust? Show a command that was used to establish trust.
If you can re-establish it, add 'log level = 10' to /usr/share/ipa/smb.conf.empty and re-run 'ipa trust-add'. You'll get a lot of details in /var/log/httpd/error_log that show what AD thinks about the trust.
This led me to try the following (based on a tutorial I found), but with no success:
# ipa service-add cifs/ad.mydomain.com@IPA.MYDOMAIN.COM --force ipa: ERROR: The host 'ad.mydomain.com' does not exist to add a service to.
I wonder what is this (a tutorial)? This is absolute nonsense.
I am running CentOS 7 with ipa 4.5; all AD servers are running server 2016. If anyone has any pointers which could help with this, I'd appreciate it.
Debugging 4.5 is a new experience. Read my article about it: https://vda.li/en/docs/freeipa-debug-privsep/
However, for trust to AD nothing changed. If your KDC doesn't seem to understand how to reach AD DCs for ad.mydomain.com, you have a fundamental problem.
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Bobby Jones