[Freeipa-users] FreeIPA Active directory Integration: ipa "unknown command trustdomain-fetch"
Alexander Bokovoy
abokovoy at redhat.com
Fri Sep 12 14:00:45 UTC 2014
On Fri, 12 Sep 2014, Traiano Welcome wrote:
>Hi Alexander
>
>
>
>
>On Thu, Sep 11, 2014 at 8:16 PM, Alexander Bokovoy <abokovoy at redhat.com>
>wrote:
>
>> On Thu, 11 Sep 2014, Traiano Welcome wrote:
>>
>>> This one is not usable. You need to enable debugging on the server side.
>>>>> See http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#
>>>>> Debugging_trust
>>>>> in the part where it talks about /usr/share/ipa/smb.conf.empty.
>>>>>
>>>>>
>>>>>
>>>> I've attached the debug logs, I'd be thankful if you could find anything
>>>> in them!
>>>>
>>> Can you please keep debugging and re-establish the trust using AD
>> credentials?
>>
>> I can see that AD DC does believe yet the trust is working:
>> Ticket in credentials cache for @LINUX will expire in 86400 secs
>> GSS client Update(krb5)(1) Update failed: Unspecified GSS failure.
>> Minor code may provide more information: KDC policy rejects request
>>
>> "KDC policy rejects request" means AD-side of the trust is not set and
>> verified.
>>
>> By running 'ipa trust-add ... --admin ..' you'll force AD DC to reset trust
>> and verify it.
>>
>>
>
>Just to confirm: The guide says that Windows 2008 R2 should be used as an
>AD DC, and provides a link to a setup process for Windows 2008 R2. However
>later on in the doc there is animated gif of Windows 2012 ... Does this
>matter?
>
>Will different setups based on Win2K8 or Win2K12 DC affect the installation
>process in any way on the IdM side?
I have both Windows Server 2008 (actually, 2008 and 2008R2) and Windows
Server 2012 working in my lab. Both have trusts established to FreeIPA
domain and work fine.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list