[Freeipa-users] Forest trust and AD child domain
Manuel Lopes
manuel.lopes72 at gmail.com
Fri Dec 12 01:06:05 UTC 2014
Hi Sumit,
Thank you very much for the prompt reply
[root at support1 ~]# ipa trustdomain-find windows.com
Domain name: windows.com
Domain NetBIOS name: WINDOWS
Domain Security Identifier: S-1-5-21-1701591335-3855227394-3044674468
Domain enabled: True
Domain name: acme.windows.com
Domain NetBIOS name: ACME
Domain Security Identifier: S-1-5-21-1215373191-1991333051-3772904882
Domain enabled: True
----------------------------
Number of entries returned 2
----------------------------
[root at support1 ~]# ipa trust-fetch-domains windows.com
-------------------------------
No new trust domains were found
-------------------------------
----------------------------
Number of entries returned 0
----------------------------
Regards
Le 11 déc. 2014 20:08, "Sumit Bose" <sbose at redhat.com
<javascript:_e(%7B%7D,'cvml','sbose at redhat.com');>> a écrit :
> On Thu, Dec 11, 2014 at 06:45:49PM +0100, Manuel Lopes wrote:
> > Hello,
> >
> >
> > We have been following the AD integration guide for IPAv3:
> > http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup
> >
> >
> >
> > Our setup is:
> >
> > • 2 domain controllers with Windows 2008 R2 AD DC -> windows.com
> > <http://example.com/> as Forest Root Domain and acme.windows.com
> > <http://acme.example.com/> as transitive child domain
> >
> > • RHEL7 as IPA server with domain: linux.com
> > <http://linux.acme.example.com/>
> >
> >
> >
> > We have established a forest trust between windows.com and linux.com and
> > everything seems OK from an IPA perspective.
> >
> >
> >
> > We can work with Kerberos tickets without any issue from “windows” domain
> > or his child domain “acme”. (kinit, kvno…)
> >
> >
> >
> > When we use samba tools, the following command is working fine.
> >
> > *[root at support1 ]# wbinfo -n 'WINDOWS\Domain Admins'*
> >
> > *S-1-5-21-1701591335-3855227394-3044674468-512 SID_DOM_GROUP (2)*
> >
> >
> >
> > But, the same command against the acme domain returns an error.
> >
> > *[root at support1 ]# wbinfo -n 'ACME\Domain Admins'*
> >
> > *failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND*
> >
> > *Could not lookup name ACME\Domain Admins*
> >
> >
> >
> > Same problem with the following command:
> >
> > *[root at support1]# ipa group-add-member ad_users_external --external
> > "ACME\Domain Users"*
> >
> > *[member user]:*
> >
> > *[member group]:*
> >
> > * Group name: ad_users_external*
> >
> > * Description: AD users external map*
> >
> > * External member: *
> >
> > * Member of groups: ad_users*
> >
> > * Failed members:*
> >
> > * member user:*
> >
> > * member group: ACME\Domain Users: Cannot find specified domain or
> > server name*
> >
> > *-------------------------*
> >
> > *Number of members added 0*
> >
> >
> >
> >
> >
> > Any help would be appreciated
>
> Does
>
> ipa trustdomain-find windows.com
>
> show acme.windows.com as well ?
>
> Does
>
> ipa trust-fetch-domains ad.devel
>
> help to retrieve the child domain?
>
> Please note that if acme.windows.com now shows up you might have to wait
> 1-2 minutes until SSSD's negative caches are flushed and the new domains
> is discovered by SSSD, as an alternative you can just restart SSSD.
>
> HTH
>
> bye,
> Sumit
>
> >
> >
> >
> > Regards
>
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go To http://freeipa.org for more info on the project
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141212/5b0e8cf2/attachment.htm>
More information about the Freeipa-users
mailing list