[Freeipa-users] AD --> IPA trust --::-- ipa: ERROR: Insufficient access: CIFS server denied your credentials
Alexander Bokovoy
abokovoy at redhat.com
Sat Apr 11 06:38:13 UTC 2015
On Sat, 11 Apr 2015, g.fer.ordas at unicyber.co.uk wrote:
>Guys
>
>Anyway of simply skipping the CIFS mount credentials bit?
>I do not actually need the AD CIFS at this point.
What do you mean by that?
Establishing trust uses SMB protocols family, it is not using 'CIFS
mount' but file system operations are part of SMB protocols family,
along with authentication, authorization, domain and trust management.
Your 'Admin' user on AD side should be member of either Enteprise
Admins, Domain Admins of the forest root domain, or Schema Admins
groups. See
https://technet.microsoft.com/en-us/library/cc755700%28v=ws.10%29.aspx
for details.
>
>ipa trust-add --type=ad ad.domain.com --admin Admin --password
>Active Directory domain administrator's password:
>ipa: ERROR: Insufficient access: CIFS server <ad.domain.com> denied
>your credentials
>
>---
>ot NTLMSSP neg_flags=0x60088205
> NTLMSSP_NEGOTIATE_UNICODE
> NTLMSSP_REQUEST_TARGET
> NTLMSSP_NEGOTIATE_NTLM
> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> NTLMSSP_NEGOTIATE_NTLM2
> NTLMSSP_NEGOTIATE_128
> NTLMSSP_NEGOTIATE_KEY_EXCH
>s4_tevent: Added timed event "dcerpc_timeout_handler": 0x7f31e9911d50
>s4_tevent: Destroying timer event 0x7f31e9911d50
>"dcerpc_timeout_handler"
>dcerpc: alter_resp - rpc fault: WERR_ACCESS_DENIED
>s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f31e99093a0
>s4_tevent: Run immediate event "tevent_req_trigger": 0x7f31e99093a0
>Failed to bind to uuid 12345778-1234-abcd-ef00-0123456789ab for
>12345778-1234-abcd-ef00-0123456789ab at AD.ad.domain.com[49155]
>NT_STATUS_LOGON_FAILURE
>s4_tevent: Destroying timer event 0x7f31e80539d0
>"dcerpc_connect_timeout_handler"
>[Sat Apr 11 06:00:17.408265 2015] [:error] [pid 25074] ipa: INFO:
>[jsonserver_session] admin at LINUX.DOMAIN.COM: trust_add(u'domain.com',
>trust_type=u'ad', realm_admin=Admin', realm_passwd=u'********',
>all=False, raw=False, version=u'2.114'): ACIError
>
>----
>
>This is freeipa-server-4.1.4-1.el7.centos.x86_64
>
>Thanks!!
>
>--
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list