<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <br>
    <div class="moz-cite-prefix">On 2017/5/14 04:19, Alexander Bokovoy
      wrote:<br>
    </div>
    <blockquote type="cite"
      cite="mid:20170514081923.52vfu4jn4wti6oxw@redhat.com">On su, 14
      touko 2017, Patrick Hemmer wrote:
      <br>
      <blockquote type="cite">I'm working on spinning up a FreeIPA
        server with an AD trust. I've
        <br>
        followed the official guide
        <br>
        (<a class="moz-txt-link-freetext" href="https://www.freeipa.org/page/Active_Directory_trust_setup">https://www.freeipa.org/page/Active_Directory_trust_setup</a>), and
        <br>
        everything works up to the point of trying to add external
        members to
        <br>
        the group. Whenever I try I get:
        <br>
        <br>
        # ipa group-add-member ad_admins_external --external
        'CHEWY\Domain Admins'
        <br>
        [member user]:
        <br>
        [member group]:
        <br>
         Group name: ad_admins_external
        <br>
         Description: ad_domain admins external map
        <br>
         Failed members:
        <br>
           member user:
        <br>
           member group: CHEWY\Domain Admins: trusted domain object not
        found
        <br>
        -------------------------
        <br>
        Number of members added 0
        <br>
        -------------------------
        <br>
        <br>
        <br>
        I turned up the debugging to 100, re-established the trust, and
        tried to
        <br>
        perform the group-add-member again. Logs have uploaded the logs
        here:
        <br>
        <a class="moz-txt-link-freetext" href="https://s3.amazonaws.com/phemmer-misc/freeipa-logs.tar.gz">https://s3.amazonaws.com/phemmer-misc/freeipa-logs.tar.gz</a>
        <br>
        I'm just testing the procedure on a couple local development
        VMs, so
        <br>
        there's nothing sensitive in there.
        <br>
        <br>
        Confusingly, according to the httpd log the operation was
        successful:
        <br>
        [Sun May 14 01:49:24.171867 2017] [:error] [pid 23688] ipa:
        INFO:
        <br>
        [jsonserver_session] admin@LOCAL:
        <br>
        group_add_member/1(u'ad_admins_external',
        <br>
        ipaexternalmember=(u'CHEWY\\\\Domain Admins',),
        version=u'2.213'): SUCCESS
        <br>
        <br>
        I'm not sure where the issue here lies. So any insight would be
        appreciated.
        <br>
      </blockquote>
      <br>
      The issue is in your choice of IPA domain name: local. This is not
      going
      <br>
      to work with AD -- as you can see, there are subtle issues. Even
      though
      <br>
      AD DC accepts a trust to LOCAL forest, it cannot really operate it
      <br>
      internally, thus even looking up forest topology fails at the
      point when
      <br>
      IPA framework attempts to authenticate. See [1] for list of
      limitations
      <br>
      in pure Active Directory for single-label domains.
      <br>
      <br>
      [1]
<a class="moz-txt-link-freetext" href="https://support.microsoft.com/en-us/help/300684/deployment-and-operation-of-active-directory-domains-that-are-configured-by-using-single-label-dns-names">https://support.microsoft.com/en-us/help/300684/deployment-and-operation-of-active-directory-domains-that-are-configured-by-using-single-label-dns-names</a><br>
      <br>
      We don't recommend using single-label DNS configurations. Even in
      a lab
      <br>
      environment they are source of various issues.
      <br>
      <br>
    </blockquote>
    <br>
    Thanks, switching to a second level domain did indeed solve the
    issue.<br>
    <br>
    -Patrick<br>
  </body>
</html>