[Freeipa-users] What id my AD domain user password not available

Ben .T.George bentech4you at gmail.com
Thu May 26 23:08:07 UTC 2016 

HI

i ran some commands from AD side and the Trust status got changed.Below is
the command i used on AD

netdom trust <TrustingDomainName> /d:<TrustedDomainName> /verify


Before it was : "waiting for confirmation by remote side" and not it got
changed to "Trust type: Active Directory domain"

But when i am trying to map AD group, it not going through


root at zkwipamstr01 ~]# ipa group-add-member ad_admins_external --external
'MTC_TABS\Domain Users'
[member user]:
[member group]:
 Group name: ad_admins_external
 Description: ad_domain admins external map
 Failed members:
   member user:
   *member group: MTC_TABS\Domain Users: trusted domain object not found *
-------------------------
Number of members added 0
-------------------------

This is what my trust properties from AD. Trust type is showing as realm

[image: Inline image 1]

How can i fix this issue.

On Thu, May 26, 2016 at 10:32 PM, Ben .T.George <bentech4you at gmail.com>
wrote:

> Hi All
>
> i have given share key and the status is like below.
>
>
> [root at zkwipamstr01 ~]# ipa trust-add --type=ad "corp.example.com.kw"
> --trust-secret
> Shared secret for the trust:
> --------------------------------------------------------
> Added Active Directory trust for realm "corp.example.com.kw"
> --------------------------------------------------------
>  Realm name: corp.example.com.kw
>  Domain NetBIOS name: MTC_TABS
>  Domain Security Identifier: S-1-5-21-4225188509-189646935-2695072313
>  SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7,
> S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15,
>                          S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10,
> S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
>  SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7,
> S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15,
>                          S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10,
> S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
>  Trust direction: Trusting forest
>  Trust type: Active Directory domain
>  Trust status: Waiting for confirmation by remote side
>
>
> what is this means "Waiting for confirmation by remote side" . how can i
> check that. from my AD side, i cannot see the screens shown in that
> gif(tutorial)
>
> Please anyone help me.
>
>
> Thanks & Regards,
> Ben
>
> On Thu, May 26, 2016 at 7:58 PM, Michael ORourke <mrorourke at earthlink.net>
> wrote:
>
>> That looks good.  I see you are using an external DNS source for the IPA
>> domain, correct?  You may need to do some additional steps on the FreeIPA
>> server, because by default it will configure BIND and populate resource
>> records for the IPA domain (for example, SRV records like _ldap_._
>> tcp.kw.example.com).  I'm not familiar with setting up FreeIPA with an
>> external DNS, but I'm sure there are some instructions out there.
>>
>> -Mike
>>
>> -----Original Message-----
>> From: "Ben .T.George"
>> Sent: May 23, 2016 2:22 PM
>> To: Michael ORourke
>> Cc: freeipa-users
>> Subject: Re: [Freeipa-users] What id my AD domain user password not
>> available
>>
>> HI
>>
>> in my case i have 2 domains
>>
>> AD DNS : corp.example.kw.com
>> main DNS ( from appliance) : kw.example.com
>>
>> and all the linux box are pointed to kw.example.com
>>
>> so i put my IPA server hostname as : ipa.kw.example.com and created A &
>> PTR on kw.example.com
>>
>> is that the correct way?
>>
>> Regards,
>> Ben
>>
>> On Mon, May 23, 2016 at 8:20 PM, Michael ORourke <mrorourke at earthlink.net
>> > wrote:
>>
>>> Ben,
>>>
>>> Yes, that is a requirement.  Just creating the A & PTR records for you
>>> FreeIPA server is not enough.  You will need to keep the DNS zones separate
>>> too, example:
>>> Windows AD Domain: mydomain.com
>>> FreeIPA Realm/Domain: subdomain.mydomain.com
>>>
>>> You cannot have a cross-forest trust between two domains with the same
>>> DNS zone name.  So if you have a flat DNS namespace, then you will want to
>>> plan accordingly to move all the linux boxes that will participate in the
>>> FreeIPA domain into the new DNS zone.
>>>
>>> -Mike
>>>
>>> -----Original Message-----
>>> From: "Ben .T.George"
>>> Sent: May 23, 2016 10:44 AM
>>> To: Michael ORourke
>>> Cc: freeipa-users
>>> Subject: Re: [Freeipa-users] What id my AD domain user password not
>>> available
>>>
>>> HI
>>>
>>> yea that GIf screen i shared with him. but that doesn't show how to take
>>> shared key.
>>>
>>> In my case DNS is handled by 3rd party appliances and from their side
>>> they created A record for my IPA server. bth forward and reverse is working
>>>
>>> is this forwader is mandatory thing from DNS side?
>>>
>>> Regards,
>>> ben
>>>
>>> On Mon, May 23, 2016 at 5:31 PM, Michael ORourke <
>>> mrorourke at earthlink.net> wrote:
>>>
>>>> Actually one of his questions doesn't make sense, because last I
>>>> checked, normal domain users do not have permissions to create a forest
>>>> trust.
>>>> I believe the default is a one-way trust, so maybe his concerns about
>>>> the bi-directional trust is really a non-issue.
>>>> If he refuses to type in the admin password in a linux console session
>>>> (extreme paranoia?), then perhaps you could give him a link to the tutorial
>>>> on using a pre-shared key and have him setup the AD side and give you the
>>>> key.  You don't have to be a Windows expert to do this, just ask your
>>>> domain admin to do the steps for you.  Also, you will need to setup a
>>>> separate DNS zone and some forwarding rules.  Otherwise you are going to
>>>> have problems.
>>>>
>>>> -Mike
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: "Ben .T.George"
>>>> Sent: May 23, 2016 10:07 AM
>>>> To: Michael ORourke
>>>> Cc: freeipa-users
>>>> Subject: Re: [Freeipa-users] What id my AD domain user password not
>>>> available
>>>>
>>>> HI
>>>>
>>>> He is local only but he is asking so many questions.
>>>>
>>>> first of all he is refusing to give domain admin users password .
>>>>
>>>> questions he is asking is:
>>>>
>>>> Is this trust relationship is two directional? If, yes why IPA require
>>>> two directional trust?
>>>> can we build this trust one directional?
>>>> can we achieve this with normal domain user?
>>>>
>>>> and hs is opposing to enter password in command line and i was going
>>>> though the rust using a pre-shared key and its too hard for me to
>>>> understand as i have no windows experience
>>>>
>>>> regards,
>>>> Ben
>>>>
>>>> On Mon, May 23, 2016 at 4:22 PM, Michael ORourke <
>>>> mrorourke at earthlink.net> wrote:
>>>>
>>>>> A couple of ways to go about this.  If he is local to you, you could
>>>>> explain that you need to establish a trust with his domain and you need his
>>>>> assistance for a few minutes while you type the command to join, then have
>>>>> him type in the password.  You need to assure that the DNS forward/stub
>>>>> zones are setup and working too.  If he is remote, you could use some
>>>>> screen share software and share out your desktop and walk him through the
>>>>> part where he has to type the admin password.  There is also a way to
>>>>> create a trust using a pre-shared key.  That may be more acceptable to
>>>>> him.
>>>>>
>>>>> -Mike
>>>>>
>>>>>
>>>>> -----Original Message-----
>>>>> From: "Ben .T.George"
>>>>> Sent: May 23, 2016 8:42 AM
>>>>> To: freeipa-users
>>>>> Subject: [Freeipa-users] What id my AD domain user password not
>>>>> available
>>>>>
>>>>> Hi LIst,
>>>>>
>>>>> my Windows domain Admin is not giving domain admin user password.
>>>>>
>>>>> in this case how can i proceed ipa trust-add
>>>>>
>>>>> regards,
>>>>> Ben
>>>>>
>>>>>
>>>>> --
>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>> Go to http://freeipa.org for more info on the project
>>>>>
>>>>
>>>>
>>>> --
>>>> Manage your subscription for the Freeipa-users mailing list:
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> Go to http://freeipa.org for more info on the project
>>>>
>>>
>>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160527/b86aca61/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 25602 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160527/b86aca61/attachment.png>

More information about the Freeipa-users mailing list