[Freeipa-users] Trust is successful and getting error while creating groups.
Ben .T.George
bentech4you at gmail.com
Thu Mar 5 07:00:31 UTC 2015
Hi Alexander,
can you please give me clue what will be error message
"member group: KWTTESTDC\Domain Admins: invalid 'trusted domain object': no
trusted domain matched the specified flat name"
Regards,
Ben
On Thu, Mar 5, 2015 at 9:35 AM, Ben .T.George <bentech4you at gmail.com> wrote:
> HI
>
> sorry ntp was stopped. now time is in sync. rebooted machine
>
> buy process is not going through
>
> *[root at kwtpocpbis01 ~]# ipa group-add-member ad_admins_external --external
> 'ad_netbios\Domain Admins'*
> *[member user]:*
> *[member group]:*
> * Group name: ad_admins_external*
> * Description: infra.com <http://infra.com> admins external map*
> * Failed members:*
> * member user:*
> * member group: ad_netbios\Domain Admins: invalid 'trusted domain
> object': no trusted domain matched the specified flat name*
> *-------------------------*
> *Number of members added 0*
>
> *-------------------------*
> *[root at kwtpocpbis01 ~]# ipa group-add-member ad_admins_external --external
> 'ad_netbios\Domain Users'*
> *[member user]:*
> *[member group]:*
> * Group name: ad_admins_external*
> * Description: infra.com <http://infra.com> admins external map*
> * Failed members:*
> * member user:*
> * member group: ad_netbios\Domain Users: invalid 'trusted domain
> object': no trusted domain matched the specified flat name*
> *-------------------------*
> *Number of members added 0*
> *-------------------------*
>
> And the error message on error_log is :
>
> [Thu Mar 05 09:31:50.146154 2015] [:error] [pid 2101] ipa: INFO:
> [jsonserver_kerb] admin at SOLARIS.LOCAL:
> group_add_member(u'ad_admins_external',
> ipaexternalmember=(u'ad_netbios\\\\Domain Admins',), all=False, raw=False,
> version=u'2.113', no_members=False): SUCCESS
>
> [Thu Mar 05 09:32:15.761885 2015] [:error] [pid 2101] ipa: INFO:
> [jsonserver_kerb] admin at SOLARIS.LOCAL:
> group_add_member(u'ad_admins_external',
> ipaexternalmember=(u'ad_netbios\\\\Domain Users',), all=False, raw=False,
> version=u'2.113', no_members=False): SUCCESS
>
>
>
> On Thu, Mar 5, 2015 at 8:52 AM, Alexander Bokovoy <abokovoy at redhat.com>
> wrote:
>
>> On Thu, 05 Mar 2015, Ben .T.George wrote:
>>
>>> Hi
>>>
>>> i have re-installed everything . my current versions are Centos 7 with
>>> IPA
>>> 4.1
>>>
>>> i followed this tutorial:
>>> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup
>>>
>>> when i fetch , it went successful:
>>>
>>> *[root at kwtpocpbis01 ~]# ipa trustdomain-find "infra.com <
>>> http://infra.com>"*
>>> * Domain name: infra.com <http://infra.com>*
>>> * Domain NetBIOS name: INFRA*
>>> * Domain Security Identifier: S-1-5-21-191287045-4012216658-3592112898*
>>> * Domain enabled: True*
>>> *----------------------------*
>>> *Number of entries returned 1*
>>> *----------------------------*
>>> *[root at kwtpocpbis01 ~]# ipa trustdomain-find "infra.com <
>>> http://infra.com>"*
>>> * Domain name: infra.com <http://infra.com>*
>>> * Domain NetBIOS name: INFRA*
>>> * Domain Security Identifier: S-1-5-21-191287045-4012216658-3592112898*
>>> * Domain enabled: True*
>>> *----------------------------*
>>> *Number of entries returned 1*
>>> *----------------------------*
>>>
>>> when i gone through "Allow access for users from AD domain to protected
>>> resources", i am getting errors,
>>>
>>>
>>> *[root at kwtpocpbis01 ~]# ipa group-add --desc='infra.com <
>>> http://infra.com>
>>> users external map' ad_users_external --external*
>>> *-------------------------------*
>>> *Added group "ad_users_external"*
>>> *-------------------------------*
>>> * Group name: ad_users_external*
>>> * Description: infra.com <http://infra.com> users external map*
>>>
>>> *[root at kwtpocpbis01 ~]# ipa group-add --desc='infra.com <
>>> http://infra.com>
>>> users' ad_users*
>>> *----------------------*
>>> *Added group "ad_users"*
>>> *----------------------*
>>> * Group name: ad_users*
>>> * Description: infra.com <http://infra.com> users*
>>> * GID: 643400005*
>>>
>>> *[root at kwtpocpbis01 ~]# ipa group-add-member ad_users_external
>>> --external
>>> 'INFRA\Domain Users'*
>>> *[member user]:*
>>> *[member group]:*
>>> * Group name: ad_users_external*
>>> * Description: infra.com <http://infra.com> users external map*
>>> * Failed members:*
>>> * member user:*
>>> * member group: INFRA\Domain Users: trusted domain object not found*
>>> *-------------------------*
>>> *Number of members added 0*
>>> *-------------------------*
>>>
>>> *[root at kwtpocpbis01 ~]# ipa group-add-member ad_users --groups
>>> ad_users_external*
>>> * Group name: ad_users*
>>> * Description: infra.com <http://infra.com> users*
>>> * GID: 643400005*
>>> * Member groups: ad_users_external*
>>> *-------------------------*
>>> *Number of members added 1*
>>> *-------------------------*
>>>
>>> please help me to solve this issue:
>>>
>>> below error is getting on httpd/error_log while trying : *ipa
>>> group-add-member ad_users_external --external 'INFRA\Domain Users'*
>>>
>>> *[Thu Mar 05 11:36:37.371594 2015] [:error] [pid 4090] ipa: WARNING:
>>> Search
>>> on AD DC kwtipaad001.infra.com:3268 <http://kwtipaad001.infra.com:3268>
>>> failed with: Insufficient access: SASL(-1): generic failure: GSSAPI
>>> Error:
>>> Unspecified GSS failure. Minor code may provide more information (Ticket
>>> not yet valid)*
>>> *[Thu Mar 05 11:36:37.374280 2015] [:error] [pid 4090] ipa: INFO:
>>> [jsonserver_kerb] admin at SOLARIS.LOCAL:
>>> group_add_member(u'ad_users_external', ipaexternalmember=(u'INFRA\\\\
>>> Domain
>>> Users',), all=False, raw=False, version=u'2.113', no_members=False):
>>> SUCCESS*
>>>
>> OK, "Ticket not yet valid" is time synchronization issue -- AD DC has
>> time behind IPA DC. Check time and time zone settings.
>>
>> --
>> / Alexander Bokovoy
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150305/14d529e2/attachment.htm>
More information about the Freeipa-users
mailing list