[Freeipa-users] Authenticating with tree root trusted domain of root DC in which the ipa trust is configured with

Kimery, Roger ROGER.KIMERY at deluxe.com
Wed Jul 27 17:02:59 UTC 2016 

Hello,


We are running IPA version: 4.2.0, API_version: 2.156 on CentOS 7.2.1511 (Core)


Trust is configured with Windows 2008 R2 Enterprise Domain roottest1.com


Below is output from ipa trustdomain-find

Realm name: ROOTTEST1.COM
  Domain name: deluxetest1.com
  Domain NetBIOS name: DELUXETEST1
  Domain Security Identifier: S-1-5-21-254737954-3826080811-539560843
  Domain enabled: True

  Domain name: roottest1.com
  Domain NetBIOS name: ROOTTEST1
  Domain Security Identifier: S-1-5-21-3637171213-1932491363-3141112745
  Domain enabled: True
----------------------------
Number of entries returned 2
----------------------------

Users from roottest1.com domain work fine but users from deluxetest1.com domain can not authenticate. As root you can su to users from both domains and run id with the expected output. Below is output from running id from a user in each domain:

id t443167l at roottest1.com
uid=908601177(t443167l at roottest1.com) gid=908601177(t443167l at roottest1.com) groups=908601177(t443167l at roottest1.com),908601174(hbac-on-root-global at roottest1.com),908601175(lsar-on-root-global at roottest1.com),908600513(domain users at roottest1.com),1114800007(hbac-on-root-global),1114800006(lsar-on-root-global)

id t443167 at deluxetest1.com
uid=959201836(t443167 at deluxetest1.com) gid=959201836(t443167 at deluxetest1.com) groups=959201836(t443167 at deluxetest1.com),908601174(hbac-on-root-global at roottest1.com),908601175(lsar-on-root-global at roottest1.com),959202271(hbac-on-global at deluxetest1.com),959202270(lsar-on-global at deluxetest1.com),959200512(domain admins at deluxetest1.com),959200513(domain users at deluxetest1.com),1114800007(hbac-on-root-global),1114800006(lsar-on-root-global),1114800010(lsar-on-global),1114800009(hbac-on-global)

I have tried to make the groups in AD universal groups and have the groups from deluxetest1 as members to the related groups in roottest1 with no change in the results. These groups can be seen in the output above.

Is there a way to get users from deluxetest1.com domain to function with the same results as users from roottest1.com?

Please let me know what other information you need.

Thanks!



Roger Kimery

Tech. Solutions Integration Engineer

Deluxe Rewards

44747 Helm Ct Plymouth, Mi. 48170

877-706-4321<tel:877-706-4321> ext 314912

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160727/5fa5877d/attachment.htm>

More information about the Freeipa-users mailing list