[Freeipa-users] FreeIPA 3.0 transitive trust, multiple domains
Simo Sorce
simo at redhat.com
Tue Mar 12 21:29:28 UTC 2013
On Tue, 2013-03-12 at 15:11 -0400, de Jong, Mark-Jan wrote:
> Hello,
> I'm currently testing forest trusts in v3.0 on CentOS 6.4. I've got a
> trust setup between my IPA forest (nix.ipatest.dom) and my Windows
> forest (ipatest.dom). I have gone though the setup procedure as outlined
> at http://freeipa.org/page/Howto/IPAv3_AD_trust_setup.
>
> Everything works as described in that document. However, now I want to
> add groups to IPA from another domain in the windows forest
> (us.ipatest.dom) but can't figure out how to proceed. When trying to add
> the a group from the US domain I get the following:
>
> [root at ipa01 ~]# ipa group-add-member ad_admins_external --external 'US
> \Domain Admins'
> [member user]:
> [member group]:
> ipa: ERROR: invalid Gettext('external member', domain='ipa',
> localedir=None): values are not recognized as valid SIDs from trusted
> domain
>
> I understand the error, but am not sure how to get this to work.
> Creating a new trust between the IPA forest and the US domain results in
> the following error, presumably because it's a transitive trust:
>
> [root at ipa01 ~]# ipa trust-add --type=ad us.ipatest.dom --admin
> Administrator --password
> Active directory domain administrator's password:
> ipa: ERROR: invalid Gettext('AD domain controller', domain='ipa',
> localedir=None): unsupported functional level
>
> Any help would be greatly appreciated!
Sorry Mark-Jan we do not support transitive trusts yet.
We are working on it, stay tuned.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list