[Freeipa-users] FreeIPA trusts with 2003 R2

Aly Khimji aly.khimji at gmail.com
Wed Jun 19 17:39:46 UTC 2013 

hey guys,

so at this point in time we haven't been having any issues, but I am not
100% if the odd issues we have been having have been related to 2003 vs
2008 issue

when we joined our IPA server to the 2003r2 we got the following output

[root at didmsvrua01 ~]# ipa trust-add --type=ad corpnonprd.xxxx.com --admin
Administrator --password
Active directory domain administrator's password:
--------------------------------------------------------------
Added Active Directory trust for realm "CorpNonPrd.xxxx.com"
--------------------------------------------------------------
  Realm name: CorpNonPrd.xxxx.com
  Domain NetBIOS name: CORPNONPRD
  Domain Security Identifier: S-1-5-21-417068303-3117552414-2168216644
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified
[root at didmsvrua01 ~]#


This looks slightly different than yours, does this look like a properly
established trust? I don't' seem to have any issues in regards to AES, and
trust users can log into clients however there are issues where the first
attempt takes a long time to login to the point of timeout and the second
one works

Aly




On Wed, Jun 19, 2013 at 12:47 PM, Alexander Bokovoy <abokovoy at redhat.com>wrote:

> On Wed, 19 Jun 2013, Dmitri Pal wrote:
>
>> On 06/19/2013 12:35 PM, Alexander Bokovoy wrote:
>>
>>> On Wed, 19 Jun 2013, Aly Khimji wrote:
>>>
>>>> So as others have mentioned windows obviously isn't my area of focus
>>>> here
>>>> either, however we have this working with 2003r2, but I do notice odd
>>>> behaviour with "id" returning odd results sometimes depending on what
>>>> system I am logged in from or initial logins failing the first time and
>>>> working the second time, would this be a result of 2003 trust vs 2008
>>>> trust?
>>>>
>>> Ok, so I have tried another time and went through Windows Server 2003 R2
>>> setup again.
>>>
>>> You need to select domain functional level Windows Server 2003 and after
>>> that raise forest functional level to Windows Server 2003.
>>>
>>> Only in this case it will work, though without AES encryption (only RC4
>>> encryption is available).
>>>
>>> See http://technet.microsoft.com/**en-us/library/cc738822%28v=ws.**
>>> 10%29.aspx<http://technet.microsoft.com/en-us/library/cc738822%28v=ws.10%29.aspx>
>>> for Windows specifics.
>>>
>>> In order to raise forest functional level one needs to open 'Active
>>> Directory Domains and Trusts' snap-in and right-click on 'Active
>>> Directory Domains and Trusts' root in the left pane. Then select 'Raise
>>> forest functional level ...' and use "Windows Server 2003" as the level
>>> to raise.
>>>
>>> After that you can try establishing trust from IPA side.
>>>
>>> Here is IPA behavior (the output corresponds to FreeIPA 3.2 but behavior
>>> should be the same in RHEL 6.4):
>>>
>>> # ipa trust-add ad.domain --admin Administrator --password
>>> Active directory domain administrator's password: ipa: ERROR: invalid
>>> 'AD domain controller': unsupported functional level
>>>
>>> (went and raised forest functional level)
>>> # ipa trust-add ad.domain --admin Administrator
>>> --password
>>> Active directory domain administrator's password:
>>> ------------------------------**--------------------
>>> Added Active Directory trust for realm "ad.domain"
>>> ------------------------------**--------------------
>>>   Realm name: ad.domain
>>>   Domain NetBIOS name: ADP
>>>   Domain Security Identifier: S-1-5-21-426902846-1951547570-**376736459
>>>   SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2,
>>>                           S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7,
>>>                           S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12,
>>>                           S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
>>> S-1-5-17,
>>>                           S-1-5-18, S-1-5-19, S-1-5-20
>>>   SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2,
>>>                           S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7,
>>>                           S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12,
>>>                           S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
>>> S-1-5-17,
>>>                           S-1-5-18, S-1-5-19, S-1-5-20
>>>   Trust direction: Two-way trust
>>>   Trust type: Active Directory domain
>>>   Trust status: Established and verified
>>>
>>>
>>> Note that there will be all kinds of issues due to AES encryption keys
>>> are missing -- you would not be able to use IPA credentials to obtain
>>> Kerberos tickets against Windows services, for example. This whole
>>> experiment is rather of a limited value.
>>>
>>> But at least, log-in with PuTTY 0.62 works.
>>>
>>>
>> Should we put this on wiki as a how to?
>>
> Definitely. If nobody beats me through the night, adding it to
> http://www.freeipa.org/page/**Howto/IPAv3_AD_trust_setup<http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup>,
> I'll do it
> tomorrow.
>
>
> --
> / Alexander Bokovoy
>
>
> ______________________________**_________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130619/6d9e1300/attachment.htm>

More information about the Freeipa-users mailing list