[Freeipa-users] FreeIPA trusts with 2003 R2

Alexander Bokovoy abokovoy at redhat.com
Wed Jun 19 16:35:05 UTC 2013 

On Wed, 19 Jun 2013, Aly Khimji wrote:
>So as others have mentioned windows obviously isn't my area of focus here
>either, however we have this working with 2003r2, but I do notice odd
>behaviour with "id" returning odd results sometimes depending on what
>system I am logged in from or initial logins failing the first time and
>working the second time, would this be a result of 2003 trust vs 2008 trust?
Ok, so I have tried another time and went through Windows Server 2003 R2
setup again.

You need to select domain functional level Windows Server 2003 and after
that raise forest functional level to Windows Server 2003.

Only in this case it will work, though without AES encryption (only RC4
encryption is available).

See http://technet.microsoft.com/en-us/library/cc738822%28v=ws.10%29.aspx
for Windows specifics.

In order to raise forest functional level one needs to open 'Active
Directory Domains and Trusts' snap-in and right-click on 'Active
Directory Domains and Trusts' root in the left pane. Then select 'Raise
forest functional level ...' and use "Windows Server 2003" as the level
to raise.

After that you can try establishing trust from IPA side.

Here is IPA behavior (the output corresponds to FreeIPA 3.2 but behavior
should be the same in RHEL 6.4):

# ipa trust-add ad.domain --admin Administrator --password
Active directory domain administrator's password: 
ipa: ERROR: invalid 'AD domain controller': unsupported functional level

(went and raised forest functional level)
# ipa trust-add ad.domain --admin Administrator --password                                                                                                                    
Active directory domain administrator's password: 
--------------------------------------------------
Added Active Directory trust for realm "ad.domain"
--------------------------------------------------
   Realm name: ad.domain
   Domain NetBIOS name: ADP
   Domain Security Identifier: S-1-5-21-426902846-1951547570-376736459
   SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2,
                           S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7,
                           S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12,
                           S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17,
                           S-1-5-18, S-1-5-19, S-1-5-20
   SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2,
                           S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7,
                           S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12,
                           S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17,
                           S-1-5-18, S-1-5-19, S-1-5-20
   Trust direction: Two-way trust
   Trust type: Active Directory domain
   Trust status: Established and verified


Note that there will be all kinds of issues due to AES encryption keys
are missing -- you would not be able to use IPA credentials to obtain
Kerberos tickets against Windows services, for example. This whole
experiment is rather of a limited value.

But at least, log-in with PuTTY 0.62 works.

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list