[Freeipa-users] Trust is successful and getting error while creating groups.
Alexander Bokovoy
abokovoy at redhat.com
Thu Mar 5 07:05:08 UTC 2015
On Thu, 05 Mar 2015, Ben .T.George wrote:
>Hi Alexander,
>
>can you please give me clue what will be error message
>
>"member group: KWTTESTDC\Domain Admins: invalid 'trusted domain object': no
>trusted domain matched the specified flat name"
So what are the domains your IPA reports as trusted?
ipa trustdomain-find
Because you are talking about KWTTESTDC -- is this a domain's NetBIOS
name? It looks to me it is your AD DC's name, not the domain's.
>
>Regards,
>Ben
>
>On Thu, Mar 5, 2015 at 9:35 AM, Ben .T.George <bentech4you at gmail.com> wrote:
>
>> HI
>>
>> sorry ntp was stopped. now time is in sync. rebooted machine
>>
>> buy process is not going through
>>
>> *[root at kwtpocpbis01 ~]# ipa group-add-member ad_admins_external --external
>> 'ad_netbios\Domain Admins'*
>> *[member user]:*
>> *[member group]:*
>> * Group name: ad_admins_external*
>> * Description: infra.com <http://infra.com> admins external map*
>> * Failed members:*
>> * member user:*
>> * member group: ad_netbios\Domain Admins: invalid 'trusted domain
>> object': no trusted domain matched the specified flat name*
>> *-------------------------*
>> *Number of members added 0*
>>
>> *-------------------------*
>> *[root at kwtpocpbis01 ~]# ipa group-add-member ad_admins_external --external
>> 'ad_netbios\Domain Users'*
>> *[member user]:*
>> *[member group]:*
>> * Group name: ad_admins_external*
>> * Description: infra.com <http://infra.com> admins external map*
>> * Failed members:*
>> * member user:*
>> * member group: ad_netbios\Domain Users: invalid 'trusted domain
>> object': no trusted domain matched the specified flat name*
>> *-------------------------*
>> *Number of members added 0*
>> *-------------------------*
>>
>> And the error message on error_log is :
>>
>> [Thu Mar 05 09:31:50.146154 2015] [:error] [pid 2101] ipa: INFO:
>> [jsonserver_kerb] admin at SOLARIS.LOCAL:
>> group_add_member(u'ad_admins_external',
>> ipaexternalmember=(u'ad_netbios\\\\Domain Admins',), all=False, raw=False,
>> version=u'2.113', no_members=False): SUCCESS
>>
>> [Thu Mar 05 09:32:15.761885 2015] [:error] [pid 2101] ipa: INFO:
>> [jsonserver_kerb] admin at SOLARIS.LOCAL:
>> group_add_member(u'ad_admins_external',
>> ipaexternalmember=(u'ad_netbios\\\\Domain Users',), all=False, raw=False,
>> version=u'2.113', no_members=False): SUCCESS
>>
>>
>>
>> On Thu, Mar 5, 2015 at 8:52 AM, Alexander Bokovoy <abokovoy at redhat.com>
>> wrote:
>>
>>> On Thu, 05 Mar 2015, Ben .T.George wrote:
>>>
>>>> Hi
>>>>
>>>> i have re-installed everything . my current versions are Centos 7 with
>>>> IPA
>>>> 4.1
>>>>
>>>> i followed this tutorial:
>>>> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup
>>>>
>>>> when i fetch , it went successful:
>>>>
>>>> *[root at kwtpocpbis01 ~]# ipa trustdomain-find "infra.com <
>>>> http://infra.com>"*
>>>> * Domain name: infra.com <http://infra.com>*
>>>> * Domain NetBIOS name: INFRA*
>>>> * Domain Security Identifier: S-1-5-21-191287045-4012216658-3592112898*
>>>> * Domain enabled: True*
>>>> *----------------------------*
>>>> *Number of entries returned 1*
>>>> *----------------------------*
>>>> *[root at kwtpocpbis01 ~]# ipa trustdomain-find "infra.com <
>>>> http://infra.com>"*
>>>> * Domain name: infra.com <http://infra.com>*
>>>> * Domain NetBIOS name: INFRA*
>>>> * Domain Security Identifier: S-1-5-21-191287045-4012216658-3592112898*
>>>> * Domain enabled: True*
>>>> *----------------------------*
>>>> *Number of entries returned 1*
>>>> *----------------------------*
>>>>
>>>> when i gone through "Allow access for users from AD domain to protected
>>>> resources", i am getting errors,
>>>>
>>>>
>>>> *[root at kwtpocpbis01 ~]# ipa group-add --desc='infra.com <
>>>> http://infra.com>
>>>> users external map' ad_users_external --external*
>>>> *-------------------------------*
>>>> *Added group "ad_users_external"*
>>>> *-------------------------------*
>>>> * Group name: ad_users_external*
>>>> * Description: infra.com <http://infra.com> users external map*
>>>>
>>>> *[root at kwtpocpbis01 ~]# ipa group-add --desc='infra.com <
>>>> http://infra.com>
>>>> users' ad_users*
>>>> *----------------------*
>>>> *Added group "ad_users"*
>>>> *----------------------*
>>>> * Group name: ad_users*
>>>> * Description: infra.com <http://infra.com> users*
>>>> * GID: 643400005*
>>>>
>>>> *[root at kwtpocpbis01 ~]# ipa group-add-member ad_users_external
>>>> --external
>>>> 'INFRA\Domain Users'*
>>>> *[member user]:*
>>>> *[member group]:*
>>>> * Group name: ad_users_external*
>>>> * Description: infra.com <http://infra.com> users external map*
>>>> * Failed members:*
>>>> * member user:*
>>>> * member group: INFRA\Domain Users: trusted domain object not found*
>>>> *-------------------------*
>>>> *Number of members added 0*
>>>> *-------------------------*
>>>>
>>>> *[root at kwtpocpbis01 ~]# ipa group-add-member ad_users --groups
>>>> ad_users_external*
>>>> * Group name: ad_users*
>>>> * Description: infra.com <http://infra.com> users*
>>>> * GID: 643400005*
>>>> * Member groups: ad_users_external*
>>>> *-------------------------*
>>>> *Number of members added 1*
>>>> *-------------------------*
>>>>
>>>> please help me to solve this issue:
>>>>
>>>> below error is getting on httpd/error_log while trying : *ipa
>>>> group-add-member ad_users_external --external 'INFRA\Domain Users'*
>>>>
>>>> *[Thu Mar 05 11:36:37.371594 2015] [:error] [pid 4090] ipa: WARNING:
>>>> Search
>>>> on AD DC kwtipaad001.infra.com:3268 <http://kwtipaad001.infra.com:3268>
>>>> failed with: Insufficient access: SASL(-1): generic failure: GSSAPI
>>>> Error:
>>>> Unspecified GSS failure. Minor code may provide more information (Ticket
>>>> not yet valid)*
>>>> *[Thu Mar 05 11:36:37.374280 2015] [:error] [pid 4090] ipa: INFO:
>>>> [jsonserver_kerb] admin at SOLARIS.LOCAL:
>>>> group_add_member(u'ad_users_external', ipaexternalmember=(u'INFRA\\\\
>>>> Domain
>>>> Users',), all=False, raw=False, version=u'2.113', no_members=False):
>>>> SUCCESS*
>>>>
>>> OK, "Ticket not yet valid" is time synchronization issue -- AD DC has
>>> time behind IPA DC. Check time and time zone settings.
>>>
>>> --
>>> / Alexander Bokovoy
>>>
>>
>>
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list