[Freeipa-users] ipa trust-add seems to work, but doesn't add the trust in FreeIPA

[Alexander Bokovoy]

On Thu, 10 Mar 2016, Darren Poulson wrote:
>Hi,
>
>So, after I got the ipa-adtrust-install working, I tried to create a trust
>between our freeipa cluster, and a new AD machine.
>
>It seemed to run ok, and gave an output, but in the ui under trusts, there
>is nothing.
>
>[root at freeipa1-01 httpd]# ipa trust-add --type=ad ad.genops --admin
>Administrator
>Active Directory domain administrator's password:
>--------------------------------------------------
>Added Active Directory trust for realm "ad.genops"
>--------------------------------------------------
>  Realm name: ad.genops
>  Domain NetBIOS name: AD
>  Domain Security Identifier: S-1-5-21-1113268607-2619903336-2585939669
>  SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7,
>S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15,
>S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10,
>                          S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
>  SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7,
>S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15,
>S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10,
>                          S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
>  Trust direction: Trusting forest
>  Trust type: Active Directory domain
>  Trust status: Established and verified
>
>[root at freeipa1-01 httpd]# ipa trust-fetch-domains ad.genops
>ipa: ERROR: no matching entry found
>
>Any pointers as to where to start looking? It seems to have added the id
>range for AD, as well as the Default Trust View. Just not the actual trust.
>I can see the trust has been created on the AD side fine.
http://www.freeipa.org/page/Active_Directory_trust_setup#Debugging_trust

-- 
/ Alexander Bokovoy