[Freeipa-users] What id my AD domain user password not available

Ben .T.George bentech4you at gmail.com
Thu May 26 19:32:28 UTC 2016 

Hi All

i have given share key and the status is like below.


[root at zkwipamstr01 ~]# ipa trust-add --type=ad "corp.example.com.kw"
--trust-secret
Shared secret for the trust:
--------------------------------------------------------
Added Active Directory trust for realm "corp.example.com.kw"
--------------------------------------------------------
 Realm name: corp.example.com.kw
 Domain NetBIOS name: MTC_TABS
 Domain Security Identifier: S-1-5-21-4225188509-189646935-2695072313
 SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7,
S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15,
                         S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10,
S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
 SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7,
S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15,
                         S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10,
S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
 Trust direction: Trusting forest
 Trust type: Active Directory domain
 Trust status: Waiting for confirmation by remote side


what is this means "Waiting for confirmation by remote side" . how can i
check that. from my AD side, i cannot see the screens shown in that
gif(tutorial)

Please anyone help me.


Thanks & Regards,
Ben

On Thu, May 26, 2016 at 7:58 PM, Michael ORourke <mrorourke at earthlink.net>
wrote:

> That looks good.  I see you are using an external DNS source for the IPA
> domain, correct?  You may need to do some additional steps on the FreeIPA
> server, because by default it will configure BIND and populate resource
> records for the IPA domain (for example, SRV records like _ldap_._
> tcp.kw.example.com).  I'm not familiar with setting up FreeIPA with an
> external DNS, but I'm sure there are some instructions out there.
>
> -Mike
>
> -----Original Message-----
> From: "Ben .T.George"
> Sent: May 23, 2016 2:22 PM
> To: Michael ORourke
> Cc: freeipa-users
> Subject: Re: [Freeipa-users] What id my AD domain user password not
> available
>
> HI
>
> in my case i have 2 domains
>
> AD DNS : corp.example.kw.com
> main DNS ( from appliance) : kw.example.com
>
> and all the linux box are pointed to kw.example.com
>
> so i put my IPA server hostname as : ipa.kw.example.com and created A &
> PTR on kw.example.com
>
> is that the correct way?
>
> Regards,
> Ben
>
> On Mon, May 23, 2016 at 8:20 PM, Michael ORourke <mrorourke at earthlink.net>
> wrote:
>
>> Ben,
>>
>> Yes, that is a requirement.  Just creating the A & PTR records for you
>> FreeIPA server is not enough.  You will need to keep the DNS zones separate
>> too, example:
>> Windows AD Domain: mydomain.com
>> FreeIPA Realm/Domain: subdomain.mydomain.com
>>
>> You cannot have a cross-forest trust between two domains with the same
>> DNS zone name.  So if you have a flat DNS namespace, then you will want to
>> plan accordingly to move all the linux boxes that will participate in the
>> FreeIPA domain into the new DNS zone.
>>
>> -Mike
>>
>> -----Original Message-----
>> From: "Ben .T.George"
>> Sent: May 23, 2016 10:44 AM
>> To: Michael ORourke
>> Cc: freeipa-users
>> Subject: Re: [Freeipa-users] What id my AD domain user password not
>> available
>>
>> HI
>>
>> yea that GIf screen i shared with him. but that doesn't show how to take
>> shared key.
>>
>> In my case DNS is handled by 3rd party appliances and from their side
>> they created A record for my IPA server. bth forward and reverse is working
>>
>> is this forwader is mandatory thing from DNS side?
>>
>> Regards,
>> ben
>>
>> On Mon, May 23, 2016 at 5:31 PM, Michael ORourke <mrorourke at earthlink.net
>> > wrote:
>>
>>> Actually one of his questions doesn't make sense, because last I
>>> checked, normal domain users do not have permissions to create a forest
>>> trust.
>>> I believe the default is a one-way trust, so maybe his concerns about
>>> the bi-directional trust is really a non-issue.
>>> If he refuses to type in the admin password in a linux console session
>>> (extreme paranoia?), then perhaps you could give him a link to the tutorial
>>> on using a pre-shared key and have him setup the AD side and give you the
>>> key.  You don't have to be a Windows expert to do this, just ask your
>>> domain admin to do the steps for you.  Also, you will need to setup a
>>> separate DNS zone and some forwarding rules.  Otherwise you are going to
>>> have problems.
>>>
>>> -Mike
>>>
>>>
>>> -----Original Message-----
>>> From: "Ben .T.George"
>>> Sent: May 23, 2016 10:07 AM
>>> To: Michael ORourke
>>> Cc: freeipa-users
>>> Subject: Re: [Freeipa-users] What id my AD domain user password not
>>> available
>>>
>>> HI
>>>
>>> He is local only but he is asking so many questions.
>>>
>>> first of all he is refusing to give domain admin users password .
>>>
>>> questions he is asking is:
>>>
>>> Is this trust relationship is two directional? If, yes why IPA require
>>> two directional trust?
>>> can we build this trust one directional?
>>> can we achieve this with normal domain user?
>>>
>>> and hs is opposing to enter password in command line and i was going
>>> though the rust using a pre-shared key and its too hard for me to
>>> understand as i have no windows experience
>>>
>>> regards,
>>> Ben
>>>
>>> On Mon, May 23, 2016 at 4:22 PM, Michael ORourke <
>>> mrorourke at earthlink.net> wrote:
>>>
>>>> A couple of ways to go about this.  If he is local to you, you could
>>>> explain that you need to establish a trust with his domain and you need his
>>>> assistance for a few minutes while you type the command to join, then have
>>>> him type in the password.  You need to assure that the DNS forward/stub
>>>> zones are setup and working too.  If he is remote, you could use some
>>>> screen share software and share out your desktop and walk him through the
>>>> part where he has to type the admin password.  There is also a way to
>>>> create a trust using a pre-shared key.  That may be more acceptable to
>>>> him.
>>>>
>>>> -Mike
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: "Ben .T.George"
>>>> Sent: May 23, 2016 8:42 AM
>>>> To: freeipa-users
>>>> Subject: [Freeipa-users] What id my AD domain user password not
>>>> available
>>>>
>>>> Hi LIst,
>>>>
>>>> my Windows domain Admin is not giving domain admin user password.
>>>>
>>>> in this case how can i proceed ipa trust-add
>>>>
>>>> regards,
>>>> Ben
>>>>
>>>>
>>>> --
>>>> Manage your subscription for the Freeipa-users mailing list:
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> Go to http://freeipa.org for more info on the project
>>>>
>>>
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>>
>>
>>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160526/2c353fce/attachment.htm>

More information about the Freeipa-users mailing list