[Freeipa-users] Trust is successful and getting error while creating groups.
Ben .T.George
bentech4you at gmail.com
Thu Mar 5 07:19:47 UTC 2015
HI Alex
Oops sorry.
actually i have 2 servers which hostname looks like same kwtpocpbis01 and
kwtpocpbis02
i was trying on wrong server.
now it's working on actual server:
*[root at kwtpocpbis01 ~]# ipa group-add-member ad_admins_external --external
'INFRA\Domain Admins'*
*[member user]:*
*[member group]:*
* Group name: ad_admins_external*
* Description: infra.com <http://infra.com> admins external map*
* External member: S-1-5-21-191287045-4012216658-3592112898-512*
*-------------------------*
*Number of members added 1*
*-------------------------*
*[root at kwtpocpbis01 ~]# ipa group-add-member ad_admins_external --external
'INFRA\Domain Users'*
*[member user]:*
*[member group]:*
* Group name: ad_admins_external*
* Description: infra.com <http://infra.com> admins external map*
* External member: S-1-5-21-191287045-4012216658-3592112898-512,
S-1-5-21-191287045-4012216658-3592112898-513*
*-------------------------*
*Number of members added 1*
how can i fetch AD user on command line on IPA server to check the
communication?
Regards
Ben
On Thu, Mar 5, 2015 at 10:05 AM, Alexander Bokovoy <abokovoy at redhat.com>
wrote:
> On Thu, 05 Mar 2015, Ben .T.George wrote:
>
>> Hi Alexander,
>>
>> can you please give me clue what will be error message
>>
>> "member group: KWTTESTDC\Domain Admins: invalid 'trusted domain object':
>> no
>> trusted domain matched the specified flat name"
>>
> So what are the domains your IPA reports as trusted?
>
> ipa trustdomain-find
>
> Because you are talking about KWTTESTDC -- is this a domain's NetBIOS
> name? It looks to me it is your AD DC's name, not the domain's.
>
>
>> Regards,
>> Ben
>>
>> On Thu, Mar 5, 2015 at 9:35 AM, Ben .T.George <bentech4you at gmail.com>
>> wrote:
>>
>> HI
>>>
>>> sorry ntp was stopped. now time is in sync. rebooted machine
>>>
>>> buy process is not going through
>>>
>>> *[root at kwtpocpbis01 ~]# ipa group-add-member ad_admins_external
>>> --external
>>> 'ad_netbios\Domain Admins'*
>>> *[member user]:*
>>> *[member group]:*
>>> * Group name: ad_admins_external*
>>> * Description: infra.com <http://infra.com> admins external map*
>>> * Failed members:*
>>> * member user:*
>>> * member group: ad_netbios\Domain Admins: invalid 'trusted domain
>>> object': no trusted domain matched the specified flat name*
>>> *-------------------------*
>>> *Number of members added 0*
>>>
>>> *-------------------------*
>>> *[root at kwtpocpbis01 ~]# ipa group-add-member ad_admins_external
>>> --external
>>> 'ad_netbios\Domain Users'*
>>> *[member user]:*
>>> *[member group]:*
>>> * Group name: ad_admins_external*
>>> * Description: infra.com <http://infra.com> admins external map*
>>> * Failed members:*
>>> * member user:*
>>> * member group: ad_netbios\Domain Users: invalid 'trusted domain
>>> object': no trusted domain matched the specified flat name*
>>>
>>> *-------------------------*
>>> *Number of members added 0*
>>> *-------------------------*
>>>
>>> And the error message on error_log is :
>>>
>>> [Thu Mar 05 09:31:50.146154 2015] [:error] [pid 2101] ipa: INFO:
>>> [jsonserver_kerb] admin at SOLARIS.LOCAL:
>>> group_add_member(u'ad_admins_external',
>>> ipaexternalmember=(u'ad_netbios\\\\Domain Admins',), all=False,
>>> raw=False,
>>> version=u'2.113', no_members=False): SUCCESS
>>>
>>> [Thu Mar 05 09:32:15.761885 2015] [:error] [pid 2101] ipa: INFO:
>>> [jsonserver_kerb] admin at SOLARIS.LOCAL:
>>> group_add_member(u'ad_admins_external',
>>> ipaexternalmember=(u'ad_netbios\\\\Domain Users',), all=False,
>>> raw=False,
>>> version=u'2.113', no_members=False): SUCCESS
>>>
>>>
>>>
>>> On Thu, Mar 5, 2015 at 8:52 AM, Alexander Bokovoy <abokovoy at redhat.com>
>>> wrote:
>>>
>>> On Thu, 05 Mar 2015, Ben .T.George wrote:
>>>>
>>>> Hi
>>>>>
>>>>> i have re-installed everything . my current versions are Centos 7 with
>>>>> IPA
>>>>> 4.1
>>>>>
>>>>> i followed this tutorial:
>>>>> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup
>>>>>
>>>>> when i fetch , it went successful:
>>>>>
>>>>> *[root at kwtpocpbis01 ~]# ipa trustdomain-find "infra.com <
>>>>> http://infra.com>"*
>>>>> * Domain name: infra.com <http://infra.com>*
>>>>> * Domain NetBIOS name: INFRA*
>>>>> * Domain Security Identifier: S-1-5-21-191287045-4012216658-
>>>>> 3592112898*
>>>>> * Domain enabled: True*
>>>>> *----------------------------*
>>>>> *Number of entries returned 1*
>>>>> *----------------------------*
>>>>> *[root at kwtpocpbis01 ~]# ipa trustdomain-find "infra.com <
>>>>> http://infra.com>"*
>>>>> * Domain name: infra.com <http://infra.com>*
>>>>> * Domain NetBIOS name: INFRA*
>>>>> * Domain Security Identifier: S-1-5-21-191287045-4012216658-
>>>>> 3592112898*
>>>>> * Domain enabled: True*
>>>>> *----------------------------*
>>>>> *Number of entries returned 1*
>>>>> *----------------------------*
>>>>>
>>>>> when i gone through "Allow access for users from AD domain to protected
>>>>> resources", i am getting errors,
>>>>>
>>>>>
>>>>> *[root at kwtpocpbis01 ~]# ipa group-add --desc='infra.com <
>>>>> http://infra.com>
>>>>> users external map' ad_users_external --external*
>>>>> *-------------------------------*
>>>>> *Added group "ad_users_external"*
>>>>> *-------------------------------*
>>>>> * Group name: ad_users_external*
>>>>> * Description: infra.com <http://infra.com> users external map*
>>>>>
>>>>> *[root at kwtpocpbis01 ~]# ipa group-add --desc='infra.com <
>>>>> http://infra.com>
>>>>> users' ad_users*
>>>>> *----------------------*
>>>>> *Added group "ad_users"*
>>>>> *----------------------*
>>>>> * Group name: ad_users*
>>>>> * Description: infra.com <http://infra.com> users*
>>>>> * GID: 643400005*
>>>>>
>>>>> *[root at kwtpocpbis01 ~]# ipa group-add-member ad_users_external
>>>>> --external
>>>>> 'INFRA\Domain Users'*
>>>>> *[member user]:*
>>>>> *[member group]:*
>>>>> * Group name: ad_users_external*
>>>>> * Description: infra.com <http://infra.com> users external map*
>>>>> * Failed members:*
>>>>> * member user:*
>>>>> * member group: INFRA\Domain Users: trusted domain object not found*
>>>>> *-------------------------*
>>>>> *Number of members added 0*
>>>>> *-------------------------*
>>>>>
>>>>> *[root at kwtpocpbis01 ~]# ipa group-add-member ad_users --groups
>>>>> ad_users_external*
>>>>> * Group name: ad_users*
>>>>> * Description: infra.com <http://infra.com> users*
>>>>> * GID: 643400005*
>>>>> * Member groups: ad_users_external*
>>>>> *-------------------------*
>>>>> *Number of members added 1*
>>>>> *-------------------------*
>>>>>
>>>>> please help me to solve this issue:
>>>>>
>>>>> below error is getting on httpd/error_log while trying : *ipa
>>>>> group-add-member ad_users_external --external 'INFRA\Domain Users'*
>>>>>
>>>>> *[Thu Mar 05 11:36:37.371594 2015] [:error] [pid 4090] ipa: WARNING:
>>>>> Search
>>>>> on AD DC kwtipaad001.infra.com:3268 <http://kwtipaad001.infra.com:3268
>>>>> >
>>>>> failed with: Insufficient access: SASL(-1): generic failure: GSSAPI
>>>>> Error:
>>>>> Unspecified GSS failure. Minor code may provide more information
>>>>> (Ticket
>>>>> not yet valid)*
>>>>> *[Thu Mar 05 11:36:37.374280 2015] [:error] [pid 4090] ipa: INFO:
>>>>> [jsonserver_kerb] admin at SOLARIS.LOCAL:
>>>>> group_add_member(u'ad_users_external', ipaexternalmember=(u'INFRA\\\\
>>>>> Domain
>>>>> Users',), all=False, raw=False, version=u'2.113', no_members=False):
>>>>> SUCCESS*
>>>>>
>>>>> OK, "Ticket not yet valid" is time synchronization issue -- AD DC has
>>>> time behind IPA DC. Check time and time zone settings.
>>>>
>>>> --
>>>> / Alexander Bokovoy
>>>>
>>>>
>>>
>>>
> --
> / Alexander Bokovoy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150305/4e95b083/attachment.htm>
More information about the Freeipa-users
mailing list