[Freeipa-users] Can't establish a trust to AD

Jake freeipa at jacobdevans.com
Thu Nov 24 16:56:36 UTC 2016 

4.2 is a one-way trust, by design. 

http://www.freeipa.org/page/V4/One-way_trust 

-Jake 


From: "Denis Müller" <d.mueller2 at rto.de> 
To: "freeipa-users" <freeipa-users at redhat.com> 
Sent: Thursday, November 24, 2016 7:48:50 AM 
Subject: [Freeipa-users] Can't establish a trust to AD 

Hello Guys, we need help to establish a trust from freeipa to ad. Ad users should be able to access to linux environment, but linux users not to ad environment. 

our setup: 

AD Domain: 
domain.com, there we have two AD-Controllers installed wird Windows Server 2008. All users are managed here. 

IPA Domain: 
wop.domain.com. We would like to sync users from ad to a specific group to provide user-management in linux environments. In this subdomain we have 2 ipa-servers: ipa01.wop.domain.com and ipa02.domain.com 

Ipa version on both servers is: VERSION: 4.2.0, API_VERSION: 2.156 

Both serves have "ipa-server-trust-ad" installed. 

[ [ mailto:root at ipa01 | root at ipa01 ] ~]# ipactl status 
Directory Service: RUNNING 
krb5kdc Service: RUNNING 
kadmin Service: RUNNING 
named Service: RUNNING 
ipa_memcached Service: RUNNING 
httpd Service: RUNNING 
pki-tomcatd Service: RUNNING 
smb Service: RUNNING 
winbind Service: RUNNING 
ipa-otpd Service: RUNNING 
ipa-dnskeysyncd Service: RUNNING 
ipa: INFO: The ipactl command was successful 

kinit admin works as expected ! 



DNS konfiguration: 
IPA-Side: 

[ [ mailto:root at ipa01 | root at ipa01 ] ~]# dig +short -t SRV _kerberos._udp.wop.domain.com 
0 100 88 ipa02.wop.domain.com. 
0 100 88 ipa01.wop.domain.com. 

[ mailto:root at ipa01 | root at ipa01 ] ~]# dig +short -t TXT _kerberos.wop.domain.com 
"WOP.DOMAIN.COM" 

[ [ mailto:root at ipa01 | root at ipa01 ] ~]# dig +short -t SRV _kerberos._udp.dc._msdcs.wop.domain.com. 
0 100 88 ipa02.wop.domain.com. 
0 100 88 ipa01.wop.domain.com. 

[ [ mailto:root at ipa01 | root at ipa01 ] ~]# dig +short -t SRV _kerberos._tcp.dc._msdcs.wop.domain.com. 
0 100 88 ipa01.wop.domain.com. 
0 100 88 ipa02.wop.domain.com. 

AD-Side: 

C:\Users\demueller>nslookup 
Standardserver: dc2.domain.com 
Address: 192.168.3.9 

> set type=SRV 
> _kerberos._udp.wop.domain.com. 
Server: dc2.domain.com 
Address: 192.168.3.9 

Nicht autorisierende Antwort: 
_kerberos._udp.wop.domain.com SRV service location: 
priority = 0 
weight = 100 
port = 88 
svr hostname = ipa01.wop.domainc.om 
_kerberos._udp.wop.rto.de SRV service location: 
priority = 0 
weight = 100 
port = 88 
svr hostname = ipa02.wop.domain.com 

ipa01.wop.domain.com internet address = 192.168.11.75 
ipa02.wop.domainc.om internet address = 192.168.11.106 

DNS looks fine, firewall too. 

Providing trust:ipa trust-add --type=ad rto.de --trust-secret --server=dc2.domain.com 

As a Result: 

[ [ mailto:root at ipa01 | root at ipa01 ] ~]# ipa trustdomain-find domain.com 
Domain name: domain.com 
Domain NetBIOS name: DOMAIN (It should be DC2, right?) 
Domain Security Identifier: S-1-5-21-746137067-2052111302-1801674531 
Domain enabled: True 
------------------------------------- 


ipa trust-fetch-domain domain.com 

Logging: 

[Thu Nov 24 13:43:44.167918 2016] [:error] [pid 9123] ipa: INFO: [jsonserver_session] [ file://admin%40wop.domain/ | admin at WOP.DOMAIN ] .COM: ping(): SUCCESS 
[Thu Nov 24 13:43:44.306718 2016] [:error] [pid 9124] ipa: INFO: [jsonserver_session] [ file://admin%40wop.domain/ | admin at WOP.DOMAIN ] .COM: trustdomain_find(u'domain.com', None, all=False, raw=False, version=u'2.156', pkey_only=False): SUCCESS 
[Thu Nov 24 13:45:16.662862 2016] [:error] [pid 9123] ipa: INFO: 401 Unauthorized: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Cannot contact any KDC for realm 'WOP.DOMAIN.COM) 

I can't understand the problem. 

On AD side we create a trust certifiacte as explained hear: 
[ http://www.freeipa.org/page/Active_Directory_trust_setup | http://www.freeipa.org/page/Active_Directory_trust_setup ] 





-- 
Manage your subscription for the Freeipa-users mailing list: 
https://www.redhat.com/mailman/listinfo/freeipa-users 
Go to http://freeipa.org for more info on the project 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161124/7e3d1d04/attachment.htm>

More information about the Freeipa-users mailing list