[Freeipa-users] Problems establishing a trust with AD

Baird, Josh jbaird at follett.com
Wed Aug 20 16:12:08 UTC 2014 

Hi,

I'm attempting to establish a trust between FreeIPA 3.3 and AD 2008 R2.  My IPA domain consists of two servers (one master and one replica).  I have verified that DNS is configured properly as the IPA domain can resolve AD and the AD domain can resolve IPA hosts.

On each IPA server, I performed the following:

$ yum install ipa-server-trust-ad samba-client
$ ipa-adtrust-install

On the main IPA server, I executed the following:

$ ipa trust-add --admin administrator --password

The output of this command suggests that establishing the trust was successful:

-------------------------------------------------
Added Active Directory trust for realm "test.lan"
-------------------------------------------------
  Realm name: test.lan
  Domain NetBIOS name: TEST
  Domain Security Identifier: S-1-5-21-2234298371-4032204425-1996979893
  SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12,
                          S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12,
                          S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified

Additionally, I can also see the IPA domain in Active Directory Domains and Trusts on the Windows side.  Next, I successfully requested a service ticket for the AD domain:

$ kvno cifs/vmxxenttest01.test.lan at TEST.LAN
cifs/vmxxenttest01.test.lan at TEST.LAN: kvno = 4
$ klist | grep TEST
08/20/2014 11:03:47  08/20/2014 21:03:47  cifs/vmxxenttest01.test.lan at TEST.LAN
08/20/2014 11:03:47  08/21/2014 11:00:30  krbtgt/TEST.LAN at QA-UNIX.DOMAIN.COM

Next, I modified /etc/krb5.conf on both IDM servers (master and replica) and added the following to the [realms] section and restarted krb5kdc:

auth_to_local = RULE:[1:$1@$0](^.*@TEST.LAN$)s/@TEST.LAN/@TEST.LAN/
auth_to_local = DEFAULT

I also modified /etc/sssd/sssd.conf and added "pac" to services and "subdomains_provider = ipa."

Next, I tried to validate the trust from the AD side using the "Validate" button in AD Domains and Trusts.  Once I click the 'Vaildate' button, I choose "Yes, validate the incoming trust" and specify the IPA admin account and password and get notified that the trust cannot be validated due to "There are currently no logon servers available to service the logon requests."  It suggests that I reset the trust password, and I accept, but again it fails due to no logon servers.

I don't really see anything in the krb5kdc.log logs on the IPA servers.  Any ideas how to further troubleshoot this?

Thanks,

Josh

More information about the Freeipa-users mailing list