[Freeipa-users] Unable to Login until Trust is Repaired (Jonathan)

Dmitri Pal dpal at redhat.com
Thu Nov 13 13:27:28 UTC 2014 

On 11/13/2014 08:15 AM, Jonathan Bradford wrote:
> Dmitri:
> Thanks for the reply.
> > Do you need to repair the trust for every single user or just once?
> Yes, I have to repair the trust for every new user added to Active 
> Directory who needs access to an IdM resource. Only once per user though.
> > What it is your AD domain topology?
> My AD topology is very simple at the moment because it is a test 
> environment. I currently have one domain controller with a domain of 
> venus.com <http://venus.com>. My IdM topology is very similar--one 
> IdM server with a domain of mercury.com <http://mercury.com>.
> > Are you establishing trust with the primary domain controller?
> Yes.
> > What version of IPA and AD are you using?
> I'm using IPA v 3.0. I'm not sure of the current version of AD, but 
> I'm using it on Windows Server 2008 R2 SP1.

3.0 is a pretty old version, I mean a lot has changed in trust area 
between 3.0 and 3.3.
Any chance you can use that?

What distro do you use?

> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 12 Nov 2014 14:42:51 -0500
> From: Dmitri Pal <dpal at redhat.com <mailto:dpal at redhat.com>>
> To: freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>
> Subject: Re: [Freeipa-users] Unable to Login until Trust is Repaired
> Message-ID: <5463B83B.1040601 at redhat.com 
> <mailto:5463B83B.1040601 at redhat.com>>
> Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"
>
> On 11/12/2014 08:44 AM, Jonathan Bradford wrote:
> > This is my first post on the IPA mailing list. Hey guys :)
> > I've successfully walked through the IdM Red Hat document on
> > "Integrating with Active Directory Through Cross-Realm Kerberos
> > Trusts" using separate DNS domains. I've reached the part where you
> > test the trust using SSH via PuTTY, and I have noticed a problem.
> > If I add a user in Active Directory (group mapping is on), the user
> > cannot immediately SSH to an IPA host. In fact, it never allows me to
> > login until I first login to a Windows machine with the account and
> > then repair the trust via AD.
> > To repair the trust, I have to go to AD Domains and Trusts >
> > Properties > Trusts> and Validate the incoming and outgoing
> > connections. When I do this, it gives me an error message about the
> > RPC server not running, but if I proceed, it eventually tells me that
> > the connection has been repaired. Only after doing this can I
> > successfully SSH with a new user.
> > Do you have any idea why this might be happening? I have followed Red
> > Hat's documentation exactly, so I am not sure why I am having issues.
> > If you have any thoughts or ideas, I would greatly appreciate them.
> > Thanks!
> > -Jonathan
> >
> >
> HI Jonathan,
>
> I would leave to Alexander to drill down into the details when he is
> back online tomorrow however if the trust is not validated then it is
> not fully established the first time. Something when wrong and it would
> be nice to look at the logs on the IPA and AD side to be able to
> determine the cause.
> Do you need to repair the trust for every single user or just once?
>
> What it is your AD domain topology? Are you establishing trust with the
> primary domain controller?
> What version of IPA and AD are you using?
>
> Thanks
> Dmitri
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141113/8a4c3b8c/attachment.htm>

More information about the Freeipa-users mailing list