[Freeipa-users] What id my AD domain user password not available
Alexander Bokovoy
abokovoy at redhat.com
Fri May 27 07:53:39 UTC 2016
On Fri, 27 May 2016, Ben .T.George wrote:
>This is what i am getting
>
>[image: Inline image 1]
>[image: Inline image 3]
>[image: Inline image 4]
>
>And that wizand end with nothing. Please anyone share more info regarding
>this
The wizard asks you to enter the name of the domain, forest, or realm
for the trust. You are entering hostname of IPA master. This is never
going to fly.
In Active Directory terms:
- forest is a set of AD domains
- it is named after the first AD domain created in the forest
- this domain is called 'forest root domain'
In FreeIPA we have a single 'domain' from Active Directory perspective:
- this is the domain corresponding to Kerberos realm name, (ipa.local
in your case)
- Forest name = forest root domain name = ipa.local
The wizard will then use DNS SRV records to discover IPA masters (AD DCs
for Active Directory view).
>
>Regards,
>Ben
>
>On Fri, May 27, 2016 at 10:24 AM, Ben .T.George <bentech4you at gmail.com>
>wrote:
>
>> HI Alex.
>>
>> I Am using windows 2008 R2.
>>
>> when i am giving IPA's DNS name and click next, the trust wizard is not
>> going through. But if i am selecting realm trust , atleast the wizard
>> completes.
>>
>> So which AD version is recommended ?
>>
>> Regards,
>> Ben
>>
>> On Fri, May 27, 2016 at 7:05 AM, Alexander Bokovoy <abokovoy at redhat.com>
>> wrote:
>>
>>> On Fri, 27 May 2016, Ben .T.George wrote:
>>>
>>>> HI
>>>>
>>>> i ran some commands from AD side and the Trust status got changed.Below
>>>> is
>>>> the command i used on AD
>>>>
>>>> netdom trust <TrustingDomainName> /d:<TrustedDomainName> /verify
>>>>
>>>>
>>>> Before it was : "waiting for confirmation by remote side" and not it got
>>>> changed to "Trust type: Active Directory domain"
>>>>
>>>> But when i am trying to map AD group, it not going through
>>>>
>>>>
>>>> root at zkwipamstr01 ~]# ipa group-add-member ad_admins_external --external
>>>> 'MTC_TABS\Domain Users'
>>>> [member user]:
>>>> [member group]:
>>>> Group name: ad_admins_external
>>>> Description: ad_domain admins external map
>>>> Failed members:
>>>> member user:
>>>> *member group: MTC_TABS\Domain Users: trusted domain object not found *
>>>> -------------------------
>>>> Number of members added 0
>>>> -------------------------
>>>>
>>>> This is what my trust properties from AD. Trust type is showing as realm
>>>>
>>> It should be 'Forest', not 'realm'. Realm is for plain MIT Kerberos
>>> realm trust which is *not* what IPA provides.
>>>
>>> [image: Inline image 1]
>>>>
>>>> How can i fix this issue.
>>>>
>>> Use correct type of trust when establishing trust on AD side. If your
>>> Windows version does not allow to specify proper trust type, I'm afraid,
>>> there is nothing we can help with.
>>>
>>> --
>>> / Alexander Bokovoy
>>>
>>
>>
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list