[Freeipa-users] FreeIPA 3.0 transitive trust, multiple domains
Alexander Bokovoy
abokovoy at redhat.com
Wed Mar 13 13:17:33 UTC 2013
On Tue, 12 Mar 2013, de Jong, Mark-Jan wrote:
>Hello,
>I'm currently testing forest trusts in v3.0 on CentOS 6.4. I've got a
>trust setup between my IPA forest (nix.ipatest.dom) and my Windows
>forest (ipatest.dom). I have gone though the setup procedure as outlined
>at http://freeipa.org/page/Howto/IPAv3_AD_trust_setup.
>
>Everything works as described in that document. However, now I want to
>add groups to IPA from another domain in the windows forest
>(us.ipatest.dom) but can't figure out how to proceed. When trying to add
>the a group from the US domain I get the following:
>
>[root at ipa01 ~]# ipa group-add-member ad_admins_external --external 'US
>\Domain Admins'
>[member user]:
>[member group]:
>ipa: ERROR: invalid Gettext('external member', domain='ipa',
>localedir=None): values are not recognized as valid SIDs from trusted
>domain
>
>I understand the error, but am not sure how to get this to work.
>Creating a new trust between the IPA forest and the US domain results in
>the following error, presumably because it's a transitive trust:
>
>[root at ipa01 ~]# ipa trust-add --type=ad us.ipatest.dom --admin
>Administrator --password
>Active directory domain administrator's password:
>ipa: ERROR: invalid Gettext('AD domain controller', domain='ipa',
>localedir=None): unsupported functional level
>
>Any help would be greatly appreciated!
We don't support transitive trusts right now. There is work is being
done to implement them, tracked with
https://fedorahosted.org/freeipa/ticket/3510, though before we get there
we need to finish a foundational work, including some changes in Samba
I'm currently working on and changes for SSSD.
You can see progress with the ticket above and others mentioned in it.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list