<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
<div class="moz-cite-prefix">On 2017/5/14 04:19, Alexander Bokovoy
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:20170514081923.52vfu4jn4wti6oxw@redhat.com">On su, 14
touko 2017, Patrick Hemmer wrote:
<br>
<blockquote type="cite">I'm working on spinning up a FreeIPA
server with an AD trust. I've
<br>
followed the official guide
<br>
(<a class="moz-txt-link-freetext" href="https://www.freeipa.org/page/Active_Directory_trust_setup">https://www.freeipa.org/page/Active_Directory_trust_setup</a>), and
<br>
everything works up to the point of trying to add external
members to
<br>
the group. Whenever I try I get:
<br>
<br>
# ipa group-add-member ad_admins_external --external
'CHEWY\Domain Admins'
<br>
[member user]:
<br>
[member group]:
<br>
Group name: ad_admins_external
<br>
Description: ad_domain admins external map
<br>
Failed members:
<br>
member user:
<br>
member group: CHEWY\Domain Admins: trusted domain object not
found
<br>
-------------------------
<br>
Number of members added 0
<br>
-------------------------
<br>
<br>
<br>
I turned up the debugging to 100, re-established the trust, and
tried to
<br>
perform the group-add-member again. Logs have uploaded the logs
here:
<br>
<a class="moz-txt-link-freetext" href="https://s3.amazonaws.com/phemmer-misc/freeipa-logs.tar.gz">https://s3.amazonaws.com/phemmer-misc/freeipa-logs.tar.gz</a>
<br>
I'm just testing the procedure on a couple local development
VMs, so
<br>
there's nothing sensitive in there.
<br>
<br>
Confusingly, according to the httpd log the operation was
successful:
<br>
[Sun May 14 01:49:24.171867 2017] [:error] [pid 23688] ipa:
INFO:
<br>
[jsonserver_session] admin@LOCAL:
<br>
group_add_member/1(u'ad_admins_external',
<br>
ipaexternalmember=(u'CHEWY\\\\Domain Admins',),
version=u'2.213'): SUCCESS
<br>
<br>
I'm not sure where the issue here lies. So any insight would be
appreciated.
<br>
</blockquote>
<br>
The issue is in your choice of IPA domain name: local. This is not
going
<br>
to work with AD -- as you can see, there are subtle issues. Even
though
<br>
AD DC accepts a trust to LOCAL forest, it cannot really operate it
<br>
internally, thus even looking up forest topology fails at the
point when
<br>
IPA framework attempts to authenticate. See [1] for list of
limitations
<br>
in pure Active Directory for single-label domains.
<br>
<br>
[1]
<a class="moz-txt-link-freetext" href="https://support.microsoft.com/en-us/help/300684/deployment-and-operation-of-active-directory-domains-that-are-configured-by-using-single-label-dns-names">https://support.microsoft.com/en-us/help/300684/deployment-and-operation-of-active-directory-domains-that-are-configured-by-using-single-label-dns-names</a><br>
<br>
We don't recommend using single-label DNS configurations. Even in
a lab
<br>
environment they are source of various issues.
<br>
<br>
</blockquote>
<br>
Thanks, switching to a second level domain did indeed solve the
issue.<br>
<br>
-Patrick<br>
</body>
</html>