[Freeipa-users] What id my AD domain user password not available

Ben .T.George bentech4you at gmail.com
Tue Jun 14 06:05:28 UTC 2016 

HI

sorry it was issue with DNS (SRV records was missing) and it's been fixed
now. i have created one way forest trust

While issuing trust from IPA server, i have used shared key and the process
was successful.

But after validating the trust from AD side, it's asking for some username
and  password.I have gave below password combinations:

IPA "admin" user and password
IPA admin user and IPA directory password
AD "Administrator" and password.

but still it's not accepting that. So which username and password it is
expecting?

This is if i create one way trust. If i create two way trust, this password
is not asking. and my AD admin will only allow one way trust.



Thanks & Regards,
Ben

On Wed, Jun 1, 2016 at 8:20 AM, Ben .T.George <bentech4you at gmail.com> wrote:

> HI
>
> sorry it was issue with DNS (SRV records was missing) and it's been fixed
> now. i have created one way forest trust
>
> While issuing trust from IPA server, i have used shared key and the
> process was successful.
>
> But after validating the trust from AD side, it's asking for some username
> and  password.I have gave below password combinations:
>
> IPA "admin" user and password
> IPA admin user and IPA directory password
> AD "Administrator" and password.
>
> but still it's not accepting that. So which username and password it is
> expecting?
>
> This is if i create one way trust. If i create two way trust, this
> password is not asking. and my AD admin will only allow one way trust.
>
>
>
> Thanks & Regards,
> Ben
>
>
> On Fri, May 27, 2016 at 11:04 AM, Ben .T.George <bentech4you at gmail.com>
> wrote:
>
>> HI Alex,
>>
>> Thanks for the information
>>
>> i have removed old trust and recreating agan
>>
>> [image: Inline image 1]
>> [image: Inline image 2]
>> [image: Inline image 4]
>>
>> And with PA domain (idm.local) also same, it's not creating trust.
>>
>> Regards,
>> Ben
>>
>>
>>
>> On Fri, May 27, 2016 at 10:53 AM, Alexander Bokovoy <abokovoy at redhat.com>
>> wrote:
>>
>>> On Fri, 27 May 2016, Ben .T.George wrote:
>>>
>>>> This is what i am getting
>>>>
>>>> [image: Inline image 1]
>>>> [image: Inline image 3]
>>>> [image: Inline image 4]
>>>>
>>>> And that wizand end with nothing. Please anyone share more info
>>>> regarding
>>>> this
>>>>
>>> The wizard asks you to enter the name of the domain, forest, or realm
>>> for the trust. You are entering hostname of IPA master. This is never
>>> going to fly.
>>>
>>> In Active Directory terms:
>>> - forest is a set of AD domains
>>> - it is named after the first AD domain created in the forest
>>> - this domain is called 'forest root domain'
>>>
>>> In FreeIPA we have a single 'domain' from Active Directory perspective:
>>> - this is the domain corresponding to Kerberos realm name, (ipa.local
>>>   in your case)
>>> - Forest name = forest root domain name = ipa.local
>>>
>>> The wizard will then use DNS SRV records to discover IPA masters (AD DCs
>>> for Active Directory view).
>>>
>>>
>>>
>>>> Regards,
>>>> Ben
>>>>
>>>> On Fri, May 27, 2016 at 10:24 AM, Ben .T.George <bentech4you at gmail.com>
>>>> wrote:
>>>>
>>>> HI Alex.
>>>>>
>>>>> I Am using windows 2008 R2.
>>>>>
>>>>> when i am giving IPA's DNS name and click next, the trust wizard is not
>>>>> going through. But if i am selecting realm trust , atleast the wizard
>>>>> completes.
>>>>>
>>>>> So which AD version is recommended ?
>>>>>
>>>>> Regards,
>>>>> Ben
>>>>>
>>>>> On Fri, May 27, 2016 at 7:05 AM, Alexander Bokovoy <
>>>>> abokovoy at redhat.com>
>>>>> wrote:
>>>>>
>>>>> On Fri, 27 May 2016, Ben .T.George wrote:
>>>>>>
>>>>>> HI
>>>>>>>
>>>>>>> i ran some commands from AD side and the Trust status got
>>>>>>> changed.Below
>>>>>>> is
>>>>>>> the command i used on AD
>>>>>>>
>>>>>>> netdom trust <TrustingDomainName> /d:<TrustedDomainName> /verify
>>>>>>>
>>>>>>>
>>>>>>> Before it was : "waiting for confirmation by remote side" and not it
>>>>>>> got
>>>>>>> changed to "Trust type: Active Directory domain"
>>>>>>>
>>>>>>> But when i am trying to map AD group, it not going through
>>>>>>>
>>>>>>>
>>>>>>> root at zkwipamstr01 ~]# ipa group-add-member ad_admins_external
>>>>>>> --external
>>>>>>> 'MTC_TABS\Domain Users'
>>>>>>> [member user]:
>>>>>>> [member group]:
>>>>>>> Group name: ad_admins_external
>>>>>>> Description: ad_domain admins external map
>>>>>>> Failed members:
>>>>>>>   member user:
>>>>>>>   *member group: MTC_TABS\Domain Users: trusted domain object not
>>>>>>> found *
>>>>>>> -------------------------
>>>>>>> Number of members added 0
>>>>>>> -------------------------
>>>>>>>
>>>>>>> This is what my trust properties from AD. Trust type is showing as
>>>>>>> realm
>>>>>>>
>>>>>>> It should be 'Forest', not 'realm'. Realm is for plain MIT Kerberos
>>>>>> realm trust which is *not* what IPA provides.
>>>>>>
>>>>>> [image: Inline image 1]
>>>>>>
>>>>>>>
>>>>>>> How can i fix this issue.
>>>>>>>
>>>>>>> Use correct type of trust when establishing trust on AD side. If your
>>>>>> Windows version does not allow to specify proper trust type, I'm
>>>>>> afraid,
>>>>>> there is nothing we can help with.
>>>>>>
>>>>>> --
>>>>>> / Alexander Bokovoy
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>
>>>
>>>
>>>
>>> --
>>> / Alexander Bokovoy
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160614/de38b162/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 21928 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160614/de38b162/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 55244 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160614/de38b162/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 28160 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160614/de38b162/attachment-0002.png>

More information about the Freeipa-users mailing list