Hello,
When performing a trust between IPA & AD I get the following error:
CIFS server communication error: code "-1073741771", message "The object name already exists." (both may be "None")
For testing purpose did I remove the trust and want to re-add him like before.
Regards,
Daniel
________________________________
**** DISCLAIMER**** http://www.bics.com/maildisclaimer/
On to, 31 elo 2017, PAESSENS Daniel (BCS/PSD) via FreeIPA-users wrote:
Hello,
When performing a trust between IPA & AD I get the following error:
CIFS server communication error: code "-1073741771", message "The object name already exists." (both may be "None")
For testing purpose did I remove the trust and want to re-add him like before.
Check on the windows side, in Active Directory Domains and Trusts that there is no trusted object with the same name as your IPA domain. Most likely you did create one with wrong type of trust before (Kerberos trust, for example).
I've checked on the windows part. And nothing is mentioned overthere. Even with adsiedit I can't find any trace of it.
Regards,
Daniel
-----Original Message----- From: Alexander Bokovoy [mailto:abokovoy@redhat.com] Sent: Thursday 31 August 2017 16:44 To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: PAESSENS Daniel (BCS/PSD) daniel.paessens.ext@bics.com Subject: Re: [Freeipa-users] Unable to create an Active Directory Trust
On to, 31 elo 2017, PAESSENS Daniel (BCS/PSD) via FreeIPA-users wrote:
Hello,
When performing a trust between IPA & AD I get the following error:
CIFS server communication error: code "-1073741771", message "The object name already exists." (both may be "None")
For testing purpose did I remove the trust and want to re-add him like before.
Check on the windows side, in Active Directory Domains and Trusts that there is no trusted object with the same name as your IPA domain. Most likely you did create one with wrong type of trust before (Kerberos trust, for example).
-- / Alexander Bokovoy
________________________________
**** DISCLAIMER**** http://www.bics.com/maildisclaimer/
On pe, 01 syys 2017, PAESSENS Daniel (BCS/PSD) wrote:
I've checked on the windows part. And nothing is mentioned overthere. Even with adsiedit I can't find any trace of it.
Active Directory verifies three important types of conflicts when establishing a trust between any domains (including a forest trust which is a trust between the two forest root domains) described in https://msdn.microsoft.com/en-us/library/cc223787.aspx
- SID namespace - top level names (TLNs) namespace - NetBIOS names of the domains
For example, if you have Active Directory forest with just one forest root domain, example.com, and NetBIOS name AD, your IPA domain cannot be example.com and it also cannot have NetBIOS domain name AD.
There is one more limitation, though. Given that trusted domain object has also a counterpart as a 'machine' account in AD LDAP, and all machine accounts must have unique names, there could be a conflict at this level.
Say, your IPA domain's NetBIOS name is FOO. When trust is established, there will be a machine account FOO$ in AD LDAP. If you already had FOO machine in your AD, that would be seen as a conflict.
Unfortunately, you did not provide more details on what exactly is there. If you would add 'log level = 100' to /usr/share/ipa/smb.conf.empty and try to re-establish trust with 'ipa trust-add', you'll get a lot of details in /var/log/httpd/error_log. Send me those details off-list and I can see where it breaks.
freeipa-users@lists.fedorahosted.org