[Freeipa-users] AD - Freeipa trust confusion

Dmitri Pal dpal at redhat.com
Thu Jan 2 19:18:35 UTC 2014 

On 01/02/2014 02:12 PM, Andrew Holway wrote:
>> You are still setting up a replication agreement not a trust.
> Oh, I am following the redhat documentation here:
>
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html

This is sync not trust as I mentioned in my first reply.

>
>> This seems to indicate that the directory server is not running.
>> Can you check that the dirsrv is running?
> [root at ipa.wibble.com log]# /etc/init.d/dirsrv status
> dirsrv PKI-IPA (pid 7394) is running...
> dirsrv WIBBLE-COM (pid 7463) is running...
>
>
> [root at ipa.wibble.com log]# ipa trust-add --type=ad prattle.com --admin
> Administrator --password
> Active directory domain administrator's password:
> ----------------------------------------------------
> Added Active Directory trust for realm "prattle.com"
> ----------------------------------------------------
>   Realm name: prattle.com
>   Domain NetBIOS name: PRATTLE
>   Domain Security Identifier: S-1-5-21-2812083513-4116408788-3699662436
>   Trust direction: Two-way trust
>   Trust type: Active Directory domain
>   Trust status: Established and verified

This is the right step.

> However I cannot log into the windows domain with my linux users nor
> the linux domain with my linux users.....


You should not expect logging into AD domain with Linux users. This
functionality is not implemented yet.

As for AD users we need to look at the client and see what is going on
there. What is your client? Version and component? Is it using latest SSSD?
If not additional steps might be needed. Please provide the details
about the clients. Please start with trying AD users on the IPA server
itself, looking at the logs and seeing what is going on.

Thanks
Dmitri

>
> Ta,
>
> Andrew


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list