[Freeipa-users] Forest trust and AD child domain
Sumit Bose
sbose at redhat.com
Thu Dec 11 19:05:42 UTC 2014
On Thu, Dec 11, 2014 at 06:45:49PM +0100, Manuel Lopes wrote:
> Hello,
>
>
> We have been following the AD integration guide for IPAv3:
> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup
>
>
>
> Our setup is:
>
> • 2 domain controllers with Windows 2008 R2 AD DC -> windows.com
> <http://example.com/> as Forest Root Domain and acme.windows.com
> <http://acme.example.com/> as transitive child domain
>
> • RHEL7 as IPA server with domain: linux.com
> <http://linux.acme.example.com/>
>
>
>
> We have established a forest trust between windows.com and linux.com and
> everything seems OK from an IPA perspective.
>
>
>
> We can work with Kerberos tickets without any issue from “windows” domain
> or his child domain “acme”. (kinit, kvno…)
>
>
>
> When we use samba tools, the following command is working fine.
>
> *[root at support1 ]# wbinfo -n 'WINDOWS\Domain Admins'*
>
> *S-1-5-21-1701591335-3855227394-3044674468-512 SID_DOM_GROUP (2)*
>
>
>
> But, the same command against the acme domain returns an error.
>
> *[root at support1 ]# wbinfo -n 'ACME\Domain Admins'*
>
> *failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND*
>
> *Could not lookup name ACME\Domain Admins*
>
>
>
> Same problem with the following command:
>
> *[root at support1]# ipa group-add-member ad_users_external --external
> "ACME\Domain Users"*
>
> *[member user]:*
>
> *[member group]:*
>
> * Group name: ad_users_external*
>
> * Description: AD users external map*
>
> * External member: *
>
> * Member of groups: ad_users*
>
> * Failed members:*
>
> * member user:*
>
> * member group: ACME\Domain Users: Cannot find specified domain or
> server name*
>
> *-------------------------*
>
> *Number of members added 0*
>
>
>
>
>
> Any help would be appreciated
Does
ipa trustdomain-find windows.com
show acme.windows.com as well ?
Does
ipa trust-fetch-domains ad.devel
help to retrieve the child domain?
Please note that if acme.windows.com now shows up you might have to wait
1-2 minutes until SSSD's negative caches are flushed and the new domains
is discovered by SSSD, as an alternative you can just restart SSSD.
HTH
bye,
Sumit
>
>
>
> Regards
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list