[Freeipa-users] Problems establishing a trust with AD
Baird, Josh
jbaird at follett.com
Wed Aug 20 16:12:08 UTC 2014
Hi,
I'm attempting to establish a trust between FreeIPA 3.3 and AD 2008 R2. My IPA domain consists of two servers (one master and one replica). I have verified that DNS is configured properly as the IPA domain can resolve AD and the AD domain can resolve IPA hosts.
On each IPA server, I performed the following:
$ yum install ipa-server-trust-ad samba-client
$ ipa-adtrust-install
On the main IPA server, I executed the following:
$ ipa trust-add --admin administrator --password
The output of this command suggests that establishing the trust was successful:
-------------------------------------------------
Added Active Directory trust for realm "test.lan"
-------------------------------------------------
Realm name: test.lan
Domain NetBIOS name: TEST
Domain Security Identifier: S-1-5-21-2234298371-4032204425-1996979893
SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12,
S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12,
S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
Trust direction: Two-way trust
Trust type: Active Directory domain
Trust status: Established and verified
Additionally, I can also see the IPA domain in Active Directory Domains and Trusts on the Windows side. Next, I successfully requested a service ticket for the AD domain:
$ kvno cifs/vmxxenttest01.test.lan at TEST.LAN
cifs/vmxxenttest01.test.lan at TEST.LAN: kvno = 4
$ klist | grep TEST
08/20/2014 11:03:47 08/20/2014 21:03:47 cifs/vmxxenttest01.test.lan at TEST.LAN
08/20/2014 11:03:47 08/21/2014 11:00:30 krbtgt/TEST.LAN at QA-UNIX.DOMAIN.COM
Next, I modified /etc/krb5.conf on both IDM servers (master and replica) and added the following to the [realms] section and restarted krb5kdc:
auth_to_local = RULE:[1:$1@$0](^.*@TEST.LAN$)s/@TEST.LAN/@TEST.LAN/
auth_to_local = DEFAULT
I also modified /etc/sssd/sssd.conf and added "pac" to services and "subdomains_provider = ipa."
Next, I tried to validate the trust from the AD side using the "Validate" button in AD Domains and Trusts. Once I click the 'Vaildate' button, I choose "Yes, validate the incoming trust" and specify the IPA admin account and password and get notified that the trust cannot be validated due to "There are currently no logon servers available to service the logon requests." It suggests that I reset the trust password, and I accept, but again it fails due to no logon servers.
I don't really see anything in the krb5kdc.log logs on the IPA servers. Any ideas how to further troubleshoot this?
Thanks,
Josh
More information about the Freeipa-users
mailing list