[Freeipa-users] Cannot add external group from Active Directory two-way trust

Jakub Hrozek jhrozek at redhat.com
Thu Aug 4 11:26:18 UTC 2016 

On Wed, Aug 03, 2016 at 09:44:26PM +0000, Gregory Koch wrote:
> I've been following the documentation at https://www.freeipa.org/page/Active_Directory_trust_setup and I was able to establish a two-way forest trust with Active Directory.  I'm getting stuck when mapping external AD groups into a POSIX group (the "Allow access for users from AD domain to protected resources" section).
> 
> 
> I've run the following commands to create and map the groups:
> 
> ipa group-add --desc='sysops admins external map' sysops_external --external
> ipa group-add --desc='sysops admins' sysops
> ipa group-add-member sysops_external --external 'Activedirectory.com\Domain Admins'
                                                   ~~~~~~~~~~~~~~~~~~~

Are you actually able to run "getent group Activedirectory.com\Domain
Admins" ? Because later, the ipa trust-show lists your NetBIOS name as
ACTIVEDIRECTORY, not Activedirectory.com..

Either use:
    ACTIVEDIRECTORY\Domain Admins
or:
    Domain Admins at Activedirectory.com

btw isn't Domain Admins a domain-local group? Is it a good idea to use
such group in a trust scenario? I would suggest going for a
Global-scoped group at least..

> 
> The last command returns with an error "no trusted domain matched the specified flat name"
> 
> In /var/log/messages I saw an error message about there not being a kerberos account for ldap/activedirectoryserver at ipaserver, so I've added each host and an ldap service for each.  Now, in /var/log/messages, I see "KDC has no support for encryption type" when I attempt to add the group map.
> 
> 
> 
> CentOS Linux release 7.2.1511 (Core)
> 
> IPA 4.2.0-15.0.1.el7.centos.6.1.x86_64
> 
> 
> 
> This is the command I used to establish the trust:
> 
> ipa trust-add --type=ad Activedirectory.com --two-way=true --trust-secret
> 
> When checking everything is setup things seem to be OK:
> ipa trust-show "Activedirectory.com"
>   Realm name: Activedirectory.com
>   Domain NetBIOS name: ACTIVEDIRECTORY
Here..                   ~~~~~~~~~~~~~~
>   Domain Security Identifier: S-1-5-21-4202716412-292079579-2462381064
>   Trust direction: Two-way trust
>   Trust type: Active Directory domain

More information about the Freeipa-users mailing list