[Freeipa-users] Forest trust and AD child domain
Manuel Lopes
manuel.lopes72 at gmail.com
Thu Dec 11 17:45:49 UTC 2014
Hello,
We have been following the AD integration guide for IPAv3:
http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup
Our setup is:
• 2 domain controllers with Windows 2008 R2 AD DC -> windows.com
<http://example.com/> as Forest Root Domain and acme.windows.com
<http://acme.example.com/> as transitive child domain
• RHEL7 as IPA server with domain: linux.com
<http://linux.acme.example.com/>
We have established a forest trust between windows.com and linux.com and
everything seems OK from an IPA perspective.
We can work with Kerberos tickets without any issue from “windows” domain
or his child domain “acme”. (kinit, kvno…)
When we use samba tools, the following command is working fine.
*[root at support1 ]# wbinfo -n 'WINDOWS\Domain Admins'*
*S-1-5-21-1701591335-3855227394-3044674468-512 SID_DOM_GROUP (2)*
But, the same command against the acme domain returns an error.
*[root at support1 ]# wbinfo -n 'ACME\Domain Admins'*
*failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND*
*Could not lookup name ACME\Domain Admins*
Same problem with the following command:
*[root at support1]# ipa group-add-member ad_users_external --external
"ACME\Domain Users"*
*[member user]:*
*[member group]:*
* Group name: ad_users_external*
* Description: AD users external map*
* External member: *
* Member of groups: ad_users*
* Failed members:*
* member user:*
* member group: ACME\Domain Users: Cannot find specified domain or
server name*
*-------------------------*
*Number of members added 0*
Any help would be appreciated
Regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141211/294b221b/attachment.htm>
More information about the Freeipa-users
mailing list