[Freeipa-users] Cannot add external group from Active Directory two-way trust
Jakub Hrozek
jhrozek at redhat.com
Thu Aug 4 11:26:18 UTC 2016
On Wed, Aug 03, 2016 at 09:44:26PM +0000, Gregory Koch wrote:
> I've been following the documentation at https://www.freeipa.org/page/Active_Directory_trust_setup and I was able to establish a two-way forest trust with Active Directory. I'm getting stuck when mapping external AD groups into a POSIX group (the "Allow access for users from AD domain to protected resources" section).
>
>
> I've run the following commands to create and map the groups:
>
> ipa group-add --desc='sysops admins external map' sysops_external --external
> ipa group-add --desc='sysops admins' sysops
> ipa group-add-member sysops_external --external 'Activedirectory.com\Domain Admins'
~~~~~~~~~~~~~~~~~~~
Are you actually able to run "getent group Activedirectory.com\Domain
Admins" ? Because later, the ipa trust-show lists your NetBIOS name as
ACTIVEDIRECTORY, not Activedirectory.com..
Either use:
ACTIVEDIRECTORY\Domain Admins
or:
Domain Admins at Activedirectory.com
btw isn't Domain Admins a domain-local group? Is it a good idea to use
such group in a trust scenario? I would suggest going for a
Global-scoped group at least..
>
> The last command returns with an error "no trusted domain matched the specified flat name"
>
> In /var/log/messages I saw an error message about there not being a kerberos account for ldap/activedirectoryserver at ipaserver, so I've added each host and an ldap service for each. Now, in /var/log/messages, I see "KDC has no support for encryption type" when I attempt to add the group map.
>
>
>
> CentOS Linux release 7.2.1511 (Core)
>
> IPA 4.2.0-15.0.1.el7.centos.6.1.x86_64
>
>
>
> This is the command I used to establish the trust:
>
> ipa trust-add --type=ad Activedirectory.com --two-way=true --trust-secret
>
> When checking everything is setup things seem to be OK:
> ipa trust-show "Activedirectory.com"
> Realm name: Activedirectory.com
> Domain NetBIOS name: ACTIVEDIRECTORY
Here.. ~~~~~~~~~~~~~~
> Domain Security Identifier: S-1-5-21-4202716412-292079579-2462381064
> Trust direction: Two-way trust
> Trust type: Active Directory domain
More information about the Freeipa-users
mailing list