[Freeipa-users] Cannot add external group from Active Directory two-way trust

Gregory Koch gkoch at shoretel.com
Wed Aug 3 21:44:26 UTC 2016 

I've been following the documentation at https://www.freeipa.org/page/Active_Directory_trust_setup and I was able to establish a two-way forest trust with Active Directory.  I'm getting stuck when mapping external AD groups into a POSIX group (the "Allow access for users from AD domain to protected resources" section).


I've run the following commands to create and map the groups:

ipa group-add --desc='sysops admins external map' sysops_external --external
ipa group-add --desc='sysops admins' sysops
ipa group-add-member sysops_external --external 'Activedirectory.com\Domain Admins'

The last command returns with an error "no trusted domain matched the specified flat name"

In /var/log/messages I saw an error message about there not being a kerberos account for ldap/activedirectoryserver at ipaserver, so I've added each host and an ldap service for each.  Now, in /var/log/messages, I see "KDC has no support for encryption type" when I attempt to add the group map.



CentOS Linux release 7.2.1511 (Core)

IPA 4.2.0-15.0.1.el7.centos.6.1.x86_64



This is the command I used to establish the trust:

ipa trust-add --type=ad Activedirectory.com --two-way=true --trust-secret

When checking everything is setup things seem to be OK:
ipa trust-show "Activedirectory.com"
  Realm name: Activedirectory.com
  Domain NetBIOS name: ACTIVEDIRECTORY
  Domain Security Identifier: S-1-5-21-4202716412-292079579-2462381064
  Trust direction: Two-way trust
  Trust type: Active Directory domain
ipa trustdomain-find "Activedirectory.com"
  Domain name: Activedirectory.com
  Domain NetBIOS name: ACTIVEDIRECTORY
  Domain Security Identifier: S-1-5-21-4202716412-292079579-2462381064
  Domain enabled: True
----------------------------
Number of entries returned 1
----------------------------

ipa trust-fetch-domains "Activedirectory.com"
-------------------------------
No new trust domains were found
-------------------------------
----------------------------
Number of entries returned 0
----------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160803/d390f1c8/attachment.htm>

More information about the Freeipa-users mailing list