<div dir="ltr"><div> Hi, As explained in the previous email, the getent is successful. [root@support1 ~]# getent group 'ACME\Domain Users' domain users@acme.windows.com:*:<a href="mailto:365600513%3Aadministrator@acme.windows.com" target="_blank">365600513:administrator@acme.windows.com</a> In fact, our real problem is not the “wbinfo –n” but the following command: [root@support1 sssd]# ipa group-add-member ad_users_external --external "ACME\Domain Users" [member user]: [member group]: Group name: ad_users_external Description: AD users external map External member: Member of groups: ad_users Failed members: member user: member group: ACME\Domain Users: Cannot find specified domain or server name ------------------------- Number of members added 0 ------------------------- We cannot add ACME’s domain users in the ad_users_external. I attached the sssd logs. Regards </div></div><div class="gmail_extra"> <div class="gmail_quote">2014-12-12 21:51 GMT+01:00 Manuel Lopes <<a href="mailto:manuel.lopes72@gmail.com" target="_blank">manuel.lopes72@gmail.com</a>>:<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>OK.</div><div> </div><div>Command successful</div><div>[root@support1 ~]# getent group 'ACME\Domain Users' domain users@acme.windows.com:*:<a href="mailto:365600513%3Aadministrator@acme.windows.com" target="_blank">365600513:administrator@acme.windows.com</a></div><div> </div><div>Log files attached</div><div> </div><div>Thanks </div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"> <div class="gmail_quote">2014-12-12 21:32 GMT+01:00 Sumit Bose <<a href="mailto:sbose@redhat.com" target="_blank">sbose@redhat.com</a>>:<blockquote style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid" class="gmail_quote"><div><div>On Fri, Dec 12, 2014 at 08:41:27PM +0100, Manuel Lopes wrote: > [root@support1 ~]# ipa idrange-find > ---------------- > 3 ranges matched > ---------------- > Range name: LINUX.COM_id_range > First Posix ID of the range: 1066000000 > Number of IDs in the range: 200000 > First RID of the corresponding RID range: 1000 > First RID of the secondary RID range: 100000000 > Range type: local domain range > > Range name: WINDOWS.COM_id_range > First Posix ID of the range: 730200000 > Number of IDs in the range: 200000 > First RID of the corresponding RID range: 0 > Domain SID of the trusted domain: S-1-5-21-1701591335-3855227394-3044674468 > Range type: Active Directory domain range > > Range name: ACME.WINDOWS.COM_id_range > First Posix ID of the range: 365600000 > Number of IDs in the range: 200000 > First RID of the corresponding RID range: 0 > Domain SID of the trusted domain: S-1-5-21-1215373191-1991333051-3772904882 > Range type: Active Directory domain range > ---------------------------- > Number of entries returned 3 > ---------------------------- > > > As we can see in the ouput of the command, the range type is "ad POSIX > attributes". </div></div>no, it's only 'Active Directory domain range', this is good because with this type we generate the UIDs and GIDs algorithmically. > In our case, the gidNumber is not set in the "ACME\Domain Users" AD group, > nor in the " WINDOWS\Domain Users". > With a gidNumber attribute value, the 'wbinfo -n "ACME\Domain Users"' still > command fails. no need to set the ID attributes in AD. But I should have mentioned that wbinfo is quite useless nowadays with FreeIPA because winbind is only used to assure some types of communication with AD. All user and group lookups and IP-mapping is done by SSSD. Please try getent group 'ACME\Domain Users' and send the sssd_nss.log and sssd_example.com.log files. bye, Sumit <div><div> > > Thanks > > 2014-12-12 19:51 GMT+01:00 Manuel Lopes <<a href="mailto:manuel.lopes72@gmail.com" target="_blank">manuel.lopes72@gmail.com</a>>: > > > > [root@support1 ~]# ipa idrange-find > > ---------------- > > 3 ranges matched > > ---------------- > > Range name: LINUX.COM_id_range > > First Posix ID of the range: 1066000000 > > Number of IDs in the range: 200000 > > First RID of the corresponding RID range: 1000 > > First RID of the secondary RID range: 100000000 > > Range type: local domain range > > > > Range name: WINDOWS.COM_id_range > > First Posix ID of the range: 730200000 > > Number of IDs in the range: 200000 > > First RID of the corresponding RID range: 0 > > Domain SID of the trusted domain: > > S-1-5-21-1701591335-3855227394-3044674468 > > Range type: Active Directory domain range > > > > Range name: ACME.WINDOWS.COM_id_range > > First Posix ID of the range: 365600000 > > Number of IDs in the range: 200000 > > First RID of the corresponding RID range: 0 > > Domain SID of the trusted domain: > > S-1-5-21-1215373191-1991333051-3772904882 > > Range type: Active Directory domain range > > ---------------------------- > > Number of entries returned 3 > > ---------------------------- > > > > > > As we can see in the ouput of the command, the range type is "ad POSIX > > attributes". > > In our case, the gidNumber is not set in the "ACME\Domain Users" AD group, > > nor in the " WINDOWS\Domain Users". > > With a gidNumber attribute value, the 'wbinfo -n "ACME\Domain Users"' > > still command fails. > > > > Thanks > > > > > > 2014-12-12 10:33 GMT+01:00 Sumit Bose <<a href="mailto:sbose@redhat.com" target="_blank">sbose@redhat.com</a>>: > >> > >> On Fri, Dec 12, 2014 at 02:06:05AM +0100, Manuel Lopes wrote: > >> > Hi Sumit, > >> > > >> > Thank you very much for the prompt reply > >> > > >> > [root@support1 ~]# ipa trustdomain-find <a href="http://windows.com" target="_blank">windows.com</a> > >> > Domain name: <a href="http://windows.com" target="_blank">windows.com</a> > >> > Domain NetBIOS name: WINDOWS > >> > Domain Security Identifier: S-1-5-21-1701591335-3855227394-3044674468 > >> > Domain enabled: True > >> > > >> > Domain name: <a href="http://acme.windows.com" target="_blank">acme.windows.com</a> > >> > Domain NetBIOS name: ACME > >> > Domain Security Identifier: S-1-5-21-1215373191-1991333051-3772904882 > >> > Domain enabled: True > >> > ---------------------------- > >> > Number of entries returned 2 > >> > ---------------------------- > >> > >> ok, so ACME was discovered successful, can you check next the output of > >> > >> ipa idrange-find > >> > >> The important attribute is the 'Range type' for the AD domains. If it is > >> 'Active Directory trust range with POSIX attributes' it is expected that > >> users and groups in the AD forest have the POSIX UID and GID attributes > >> set and only those users and groups will be available in the IPA domain. > >> In this case please check if 'ACME\Domain Users' have the GID attribute > >> set. > >> > >> If this does not help (please mind the negative cache of SSSD) please > >> send the SSSD logs in /var/log/sssd on the IPA server. You might need to > >> enable logging in sssd.conf by setting 'debug_level = 10' in the > >> [domain/..] and [nss] section of sssd.conf. > >> > >> bye, > >> Sumit > >> > >> > > >> > [root@support1 ~]# ipa trust-fetch-domains <a href="http://windows.com" target="_blank">windows.com</a> > >> > ------------------------------- > >> > No new trust domains were found > >> > ------------------------------- > >> > ---------------------------- > >> > Number of entries returned 0 > >> > ---------------------------- > >> > > >> > Regards > >> > Le 11 déc. 2014 20:08, "Sumit Bose" <<a href="mailto:sbose@redhat.com" target="_blank">sbose@redhat.com</a> > >> > <javascript:_e(%7B%7D,'cvml','<a href="mailto:sbose@redhat.com" target="_blank">sbose@redhat.com</a>');>> a écrit : > >> > > >> > > On Thu, Dec 11, 2014 at 06:45:49PM +0100, Manuel Lopes wrote: > >> > > > Hello, > >> > > > > >> > > > > >> > > > We have been following the AD integration guide for IPAv3: > >> > > > <a href="http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup" target="_blank">http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup</a> > >> > > > > >> > > > > >> > > > > >> > > > Our setup is: > >> > > > > >> > > > • 2 domain controllers with Windows 2008 R2 AD DC -> <a href="http://windows.com" target="_blank">windows.com</a> > >> > > > <<a href="http://example.com/" target="_blank">http://example.com/</a>> as Forest Root Domain and <a href="http://acme.windows.com" target="_blank">acme.windows.com</a> > >> > > > <<a href="http://acme.example.com/" target="_blank">http://acme.example.com/</a>> as transitive child domain > >> > > > > >> > > > • RHEL7 as IPA server with domain: <a href="http://linux.com" target="_blank">linux.com</a> > >> > > > <<a href="http://linux.acme.example.com/" target="_blank">http://linux.acme.example.com/</a>> > >> > > > > >> > > > > >> > > > > >> > > > We have established a forest trust between <a href="http://windows.com" target="_blank">windows.com</a> and > >> <a href="http://linux.com" target="_blank">linux.com</a> and > >> > > > everything seems OK from an IPA perspective. > >> > > > > >> > > > > >> > > > > >> > > > We can work with Kerberos tickets without any issue from “windows” > >> domain > >> > > > or his child domain “acme”. (kinit, kvno…) > >> > > > > >> > > > > >> > > > > >> > > > When we use samba tools, the following command is working fine. > >> > > > > >> > > > *[root@support1 ]# wbinfo -n 'WINDOWS\Domain Admins'* > >> > > > > >> > > > *S-1-5-21-1701591335-3855227394-3044674468-512 SID_DOM_GROUP (2)* > >> > > > > >> > > > > >> > > > > >> > > > But, the same command against the acme domain returns an error. > >> > > > > >> > > > *[root@support1 ]# wbinfo -n 'ACME\Domain Admins'* > >> > > > > >> > > > *failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND* > >> > > > > >> > > > *Could not lookup name ACME\Domain Admins* > >> > > > > >> > > > > >> > > > > >> > > > Same problem with the following command: > >> > > > > >> > > > *[root@support1]# ipa group-add-member ad_users_external --external > >> > > > "ACME\Domain Users"* > >> > > > > >> > > > *[member user]:* > >> > > > > >> > > > *[member group]:* > >> > > > > >> > > > * Group name: ad_users_external* > >> > > > > >> > > > * Description: AD users external map* > >> > > > > >> > > > * External member: * > >> > > > > >> > > > * Member of groups: ad_users* > >> > > > > >> > > > * Failed members:* > >> > > > > >> > > > * member user:* > >> > > > > >> > > > * member group: ACME\Domain Users: Cannot find specified domain > >> or > >> > > > server name* > >> > > > > >> > > > *-------------------------* > >> > > > > >> > > > *Number of members added 0* > >> > > > > >> > > > > >> > > > > >> > > > > >> > > > > >> > > > Any help would be appreciated > >> > > > >> > > Does > >> > > > >> > > ipa trustdomain-find <a href="http://windows.com" target="_blank">windows.com</a> > >> > > > >> > > show <a href="http://acme.windows.com" target="_blank">acme.windows.com</a> as well ? > >> > > > >> > > Does > >> > > > >> > > ipa trust-fetch-domains ad.devel > >> > > > >> > > help to retrieve the child domain? > >> > > > >> > > Please note that if <a href="http://acme.windows.com" target="_blank">acme.windows.com</a> now shows up you might have to > >> wait > >> > > 1-2 minutes until SSSD's negative caches are flushed and the new > >> domains > >> > > is discovered by SSSD, as an alternative you can just restart SSSD. > >> > > > >> > > HTH > >> > > > >> > > bye, > >> > > Sumit > >> > > > >> > > > > >> > > > > >> > > > > >> > > > Regards > >> > > > >> > > > -- > >> > > > Manage your subscription for the Freeipa-users mailing list: > >> > > > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> > >> > > > Go To <a href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info on the project > >> > > > >> > > -- > >> > > Manage your subscription for the Freeipa-users mailing list: > >> > > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> > >> > > Go To <a href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info on the project > >> > >> > -- > >> > Manage your subscription for the Freeipa-users mailing list: > >> > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> > >> > Go To <a href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info on the project > >> > >> -- > >> Manage your subscription for the Freeipa-users mailing list: > >> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> > >> Go To <a href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info on the project > >> > > </div></div></blockquote></div></div> </div></div></blockquote></div></div>