[Freeipa-users] Forest trust and AD child domain

Sumit Bose sbose at redhat.com
Thu Dec 11 19:05:42 UTC 2014 

On Thu, Dec 11, 2014 at 06:45:49PM +0100, Manuel Lopes wrote:
>  Hello,
> 
> 
> We have been following the AD integration guide for IPAv3:
> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup
> 
> 
> 
> Our setup is:
> 
> • 2 domain controllers with Windows 2008 R2 AD DC -> windows.com
> <http://example.com/> as Forest Root Domain and acme.windows.com
> <http://acme.example.com/> as transitive child domain
> 
> • RHEL7 as IPA server with domain: linux.com
> <http://linux.acme.example.com/>
> 
> 
> 
> We have established a forest trust between windows.com and linux.com and
> everything seems OK from an IPA perspective.
> 
> 
> 
> We can work with Kerberos tickets without any issue from “windows” domain
> or his child domain “acme”. (kinit, kvno…)
> 
> 
> 
> When we use samba tools, the following command is working fine.
> 
> *[root at support1 ]# wbinfo -n 'WINDOWS\Domain Admins'*
> 
> *S-1-5-21-1701591335-3855227394-3044674468-512 SID_DOM_GROUP (2)*
> 
> 
> 
> But, the same command against the acme domain returns an error.
> 
> *[root at support1 ]# wbinfo -n 'ACME\Domain Admins'*
> 
> *failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND*
> 
> *Could not lookup name ACME\Domain Admins*
> 
> 
> 
> Same problem with the following command:
> 
> *[root at support1]# ipa group-add-member ad_users_external --external
> "ACME\Domain Users"*
> 
> *[member user]:*
> 
> *[member group]:*
> 
> *  Group name: ad_users_external*
> 
> *  Description: AD users external map*
> 
> *  External member: *
> 
> *  Member of groups: ad_users*
> 
> *  Failed members:*
> 
> *    member user:*
> 
> *    member group: ACME\Domain Users: Cannot find specified domain or
> server name*
> 
> *-------------------------*
> 
> *Number of members added 0*
> 
> 
> 
> 
> 
> Any help would be appreciated

Does

ipa trustdomain-find windows.com

show acme.windows.com as well ?

Does

ipa trust-fetch-domains ad.devel

help to retrieve the child domain?

Please note that if acme.windows.com now shows up you might have to wait
1-2 minutes until SSSD's negative caches are flushed and the new domains
is discovered by SSSD, as an alternative you can just restart SSSD.

HTH

bye,
Sumit

> 
> 
> 
> Regards

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list