[Freeipa-users] FreeIPA trusts with 2003 R2

Alexander Bokovoy abokovoy at redhat.com
Wed Jun 19 16:47:55 UTC 2013 

On Wed, 19 Jun 2013, Dmitri Pal wrote:
>On 06/19/2013 12:35 PM, Alexander Bokovoy wrote:
>> On Wed, 19 Jun 2013, Aly Khimji wrote:
>>> So as others have mentioned windows obviously isn't my area of focus
>>> here
>>> either, however we have this working with 2003r2, but I do notice odd
>>> behaviour with "id" returning odd results sometimes depending on what
>>> system I am logged in from or initial logins failing the first time and
>>> working the second time, would this be a result of 2003 trust vs 2008
>>> trust?
>> Ok, so I have tried another time and went through Windows Server 2003 R2
>> setup again.
>>
>> You need to select domain functional level Windows Server 2003 and after
>> that raise forest functional level to Windows Server 2003.
>>
>> Only in this case it will work, though without AES encryption (only RC4
>> encryption is available).
>>
>> See http://technet.microsoft.com/en-us/library/cc738822%28v=ws.10%29.aspx
>> for Windows specifics.
>>
>> In order to raise forest functional level one needs to open 'Active
>> Directory Domains and Trusts' snap-in and right-click on 'Active
>> Directory Domains and Trusts' root in the left pane. Then select 'Raise
>> forest functional level ...' and use "Windows Server 2003" as the level
>> to raise.
>>
>> After that you can try establishing trust from IPA side.
>>
>> Here is IPA behavior (the output corresponds to FreeIPA 3.2 but behavior
>> should be the same in RHEL 6.4):
>>
>> # ipa trust-add ad.domain --admin Administrator --password
>> Active directory domain administrator's password: ipa: ERROR: invalid
>> 'AD domain controller': unsupported functional level
>>
>> (went and raised forest functional level)
>> # ipa trust-add ad.domain --admin Administrator
>> --password
>> Active directory domain administrator's password:
>> --------------------------------------------------
>> Added Active Directory trust for realm "ad.domain"
>> --------------------------------------------------
>>   Realm name: ad.domain
>>   Domain NetBIOS name: ADP
>>   Domain Security Identifier: S-1-5-21-426902846-1951547570-376736459
>>   SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2,
>>                           S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7,
>>                           S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12,
>>                           S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
>> S-1-5-17,
>>                           S-1-5-18, S-1-5-19, S-1-5-20
>>   SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2,
>>                           S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7,
>>                           S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12,
>>                           S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
>> S-1-5-17,
>>                           S-1-5-18, S-1-5-19, S-1-5-20
>>   Trust direction: Two-way trust
>>   Trust type: Active Directory domain
>>   Trust status: Established and verified
>>
>>
>> Note that there will be all kinds of issues due to AES encryption keys
>> are missing -- you would not be able to use IPA credentials to obtain
>> Kerberos tickets against Windows services, for example. This whole
>> experiment is rather of a limited value.
>>
>> But at least, log-in with PuTTY 0.62 works.
>>
>
>Should we put this on wiki as a how to?
Definitely. If nobody beats me through the night, adding it to
http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup, I'll do it
tomorrow.


-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list