[Freeipa-users] FreeIPA trusts with 2003 R2

Aly Khimji aly.khimji at gmail.com
Wed Jun 19 20:01:32 UTC 2013 

Great

I basically said just advised that if they want to make all the IDM bells
and whistles work with AD and Elevated access they need to move on from a
2k3 as its just not being supported upstream really.


Thanks guys.




On Wed, Jun 19, 2013 at 3:24 PM, Ana Krivokapic <akrivoka at redhat.com> wrote:

> On 06/19/2013 06:47 PM, Alexander Bokovoy wrote:
> > On Wed, 19 Jun 2013, Dmitri Pal wrote:
> >> On 06/19/2013 12:35 PM, Alexander Bokovoy wrote:
> >>> On Wed, 19 Jun 2013, Aly Khimji wrote:
> >>>> So as others have mentioned windows obviously isn't my area of focus
> >>>> here
> >>>> either, however we have this working with 2003r2, but I do notice odd
> >>>> behaviour with "id" returning odd results sometimes depending on what
> >>>> system I am logged in from or initial logins failing the first time
> and
> >>>> working the second time, would this be a result of 2003 trust vs 2008
> >>>> trust?
> >>> Ok, so I have tried another time and went through Windows Server 2003
> R2
> >>> setup again.
> >>>
> >>> You need to select domain functional level Windows Server 2003 and
> after
> >>> that raise forest functional level to Windows Server 2003.
> >>>
> >>> Only in this case it will work, though without AES encryption (only RC4
> >>> encryption is available).
> >>>
> >>> See
> http://technet.microsoft.com/en-us/library/cc738822%28v=ws.10%29.aspx
> >>> for Windows specifics.
> >>>
> >>> In order to raise forest functional level one needs to open 'Active
> >>> Directory Domains and Trusts' snap-in and right-click on 'Active
> >>> Directory Domains and Trusts' root in the left pane. Then select 'Raise
> >>> forest functional level ...' and use "Windows Server 2003" as the level
> >>> to raise.
> >>>
> >>> After that you can try establishing trust from IPA side.
> >>>
> >>> Here is IPA behavior (the output corresponds to FreeIPA 3.2 but
> behavior
> >>> should be the same in RHEL 6.4):
> >>>
> >>> # ipa trust-add ad.domain --admin Administrator --password
> >>> Active directory domain administrator's password: ipa: ERROR: invalid
> >>> 'AD domain controller': unsupported functional level
> >>>
> >>> (went and raised forest functional level)
> >>> # ipa trust-add ad.domain --admin Administrator
> >>> --password
> >>> Active directory domain administrator's password:
> >>> --------------------------------------------------
> >>> Added Active Directory trust for realm "ad.domain"
> >>> --------------------------------------------------
> >>>   Realm name: ad.domain
> >>>   Domain NetBIOS name: ADP
> >>>   Domain Security Identifier: S-1-5-21-426902846-1951547570-376736459
> >>>   SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2,
> >>>                           S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7,
> >>>                           S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11,
> S-1-5-12,
> >>>                           S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
> >>> S-1-5-17,
> >>>                           S-1-5-18, S-1-5-19, S-1-5-20
> >>>   SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2,
> >>>                           S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7,
> >>>                           S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11,
> S-1-5-12,
> >>>                           S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
> >>> S-1-5-17,
> >>>                           S-1-5-18, S-1-5-19, S-1-5-20
> >>>   Trust direction: Two-way trust
> >>>   Trust type: Active Directory domain
> >>>   Trust status: Established and verified
> >>>
> >>>
> >>> Note that there will be all kinds of issues due to AES encryption keys
> >>> are missing -- you would not be able to use IPA credentials to obtain
> >>> Kerberos tickets against Windows services, for example. This whole
> >>> experiment is rather of a limited value.
> >>>
> >>> But at least, log-in with PuTTY 0.62 works.
> >>>
> >>
> >> Should we put this on wiki as a how to?
> > Definitely. If nobody beats me through the night, adding it to
> > http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup, I'll do it
> > tomorrow.
> >
> >
>
> The wiki page has been updated with this information.
>
>
> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Trusts_and_Windows_Server_2003_R2
>
> --
> Regards,
>
> Ana Krivokapic
> Associate Software Engineer
> FreeIPA team
> Red Hat Inc.
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130619/fbffc16e/attachment.htm>

More information about the Freeipa-users mailing list