[Freeipa-users] FreeIPA Active directory Integration: ipa "unknown command trustdomain-fetch"
Traiano Welcome
traiano at gmail.com
Fri Sep 12 13:55:15 UTC 2014
Hi Alexander
On Thu, Sep 11, 2014 at 8:16 PM, Alexander Bokovoy <abokovoy at redhat.com>
wrote:
> On Thu, 11 Sep 2014, Traiano Welcome wrote:
>
>> This one is not usable. You need to enable debugging on the server side.
>>>> See http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#
>>>> Debugging_trust
>>>> in the part where it talks about /usr/share/ipa/smb.conf.empty.
>>>>
>>>>
>>>>
>>> I've attached the debug logs, I'd be thankful if you could find anything
>>> in them!
>>>
>> Can you please keep debugging and re-establish the trust using AD
> credentials?
>
> I can see that AD DC does believe yet the trust is working:
> Ticket in credentials cache for @LINUX will expire in 86400 secs
> GSS client Update(krb5)(1) Update failed: Unspecified GSS failure.
> Minor code may provide more information: KDC policy rejects request
>
> "KDC policy rejects request" means AD-side of the trust is not set and
> verified.
>
> By running 'ipa trust-add ... --admin ..' you'll force AD DC to reset trust
> and verify it.
>
>
Just to confirm: The guide says that Windows 2008 R2 should be used as an
AD DC, and provides a link to a setup process for Windows 2008 R2. However
later on in the doc there is animated gif of Windows 2012 ... Does this
matter?
Will different setups based on Win2K8 or Win2K12 DC affect the installation
process in any way on the IdM side?
>
> --
> / Alexander Bokovoy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140912/91930930/attachment.htm>
More information about the Freeipa-users
mailing list