<html> <head> <meta http-equiv="content-type" content="text/html; charset=utf-8"> </head> <body text="#000000" bgcolor="#FFFFFF"> I'm working on spinning up a FreeIPA server with an AD trust. I've followed the official guide (<a class="moz-txt-link-freetext" href="https://www.freeipa.org/page/Active_Directory_trust_setup">https://www.freeipa.org/page/Active_Directory_trust_setup</a>), and everything works up to the point of trying to add external members to the group. Whenever I try I get: <tt># ipa group-add-member ad_admins_external --external 'CHEWY\Domain Admins'</tt><tt> </tt><tt>[member user]: </tt><tt> </tt><tt>[member group]: </tt><tt> </tt><tt> Group name: ad_admins_external</tt><tt> </tt><tt> Description: ad_domain admins external map</tt><tt> </tt><tt> Failed members: </tt><tt> </tt><tt> member user: </tt><tt> </tt><tt> member group: CHEWY\Domain Admins: trusted domain object not found</tt><tt> </tt><tt>-------------------------</tt><tt> </tt><tt>Number of members added 0</tt><tt> </tt><tt>-------------------------</tt> I turned up the debugging to 100, re-established the trust, and tried to perform the group-add-member again. Logs have uploaded the logs here: <a class="moz-txt-link-freetext" href="https://s3.amazonaws.com/phemmer-misc/freeipa-logs.tar.gz">https://s3.amazonaws.com/phemmer-misc/freeipa-logs.tar.gz</a> I'm just testing the procedure on a couple local development VMs, so there's nothing sensitive in there. Confusingly, according to the httpd log the operation was successful: <tt>[Sun May 14 01:49:24.171867 2017] [:error] [pid 23688] ipa: INFO: [jsonserver_session] admin@LOCAL: group_add_member/1(u'ad_admins_external', ipaexternalmember=(u'CHEWY\\\\Domain Admins',), version=u'2.213'): SUCCESS</tt> I'm not sure where the issue here lies. So any insight would be appreciated. This is with: CentOS/7 7.3.1611 FreeIPA 4.4.0 AD is Windows Server 2008 R2 -Patrick </body> </html>