[Freeipa-users] Can't establish a trust to AD
Jake
freeipa at jacobdevans.com
Thu Nov 24 16:56:36 UTC 2016
4.2 is a one-way trust, by design.
http://www.freeipa.org/page/V4/One-way_trust
-Jake
From: "Denis Müller" <d.mueller2 at rto.de>
To: "freeipa-users" <freeipa-users at redhat.com>
Sent: Thursday, November 24, 2016 7:48:50 AM
Subject: [Freeipa-users] Can't establish a trust to AD
Hello Guys, we need help to establish a trust from freeipa to ad. Ad users should be able to access to linux environment, but linux users not to ad environment.
our setup:
AD Domain:
domain.com, there we have two AD-Controllers installed wird Windows Server 2008. All users are managed here.
IPA Domain:
wop.domain.com. We would like to sync users from ad to a specific group to provide user-management in linux environments. In this subdomain we have 2 ipa-servers: ipa01.wop.domain.com and ipa02.domain.com
Ipa version on both servers is: VERSION: 4.2.0, API_VERSION: 2.156
Both serves have "ipa-server-trust-ad" installed.
[ [ mailto:root at ipa01 | root at ipa01 ] ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
smb Service: RUNNING
winbind Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
kinit admin works as expected !
DNS konfiguration:
IPA-Side:
[ [ mailto:root at ipa01 | root at ipa01 ] ~]# dig +short -t SRV _kerberos._udp.wop.domain.com
0 100 88 ipa02.wop.domain.com.
0 100 88 ipa01.wop.domain.com.
[ mailto:root at ipa01 | root at ipa01 ] ~]# dig +short -t TXT _kerberos.wop.domain.com
"WOP.DOMAIN.COM"
[ [ mailto:root at ipa01 | root at ipa01 ] ~]# dig +short -t SRV _kerberos._udp.dc._msdcs.wop.domain.com.
0 100 88 ipa02.wop.domain.com.
0 100 88 ipa01.wop.domain.com.
[ [ mailto:root at ipa01 | root at ipa01 ] ~]# dig +short -t SRV _kerberos._tcp.dc._msdcs.wop.domain.com.
0 100 88 ipa01.wop.domain.com.
0 100 88 ipa02.wop.domain.com.
AD-Side:
C:\Users\demueller>nslookup
Standardserver: dc2.domain.com
Address: 192.168.3.9
> set type=SRV
> _kerberos._udp.wop.domain.com.
Server: dc2.domain.com
Address: 192.168.3.9
Nicht autorisierende Antwort:
_kerberos._udp.wop.domain.com SRV service location:
priority = 0
weight = 100
port = 88
svr hostname = ipa01.wop.domainc.om
_kerberos._udp.wop.rto.de SRV service location:
priority = 0
weight = 100
port = 88
svr hostname = ipa02.wop.domain.com
ipa01.wop.domain.com internet address = 192.168.11.75
ipa02.wop.domainc.om internet address = 192.168.11.106
DNS looks fine, firewall too.
Providing trust:ipa trust-add --type=ad rto.de --trust-secret --server=dc2.domain.com
As a Result:
[ [ mailto:root at ipa01 | root at ipa01 ] ~]# ipa trustdomain-find domain.com
Domain name: domain.com
Domain NetBIOS name: DOMAIN (It should be DC2, right?)
Domain Security Identifier: S-1-5-21-746137067-2052111302-1801674531
Domain enabled: True
-------------------------------------
ipa trust-fetch-domain domain.com
Logging:
[Thu Nov 24 13:43:44.167918 2016] [:error] [pid 9123] ipa: INFO: [jsonserver_session] [ file://admin%40wop.domain/ | admin at WOP.DOMAIN ] .COM: ping(): SUCCESS
[Thu Nov 24 13:43:44.306718 2016] [:error] [pid 9124] ipa: INFO: [jsonserver_session] [ file://admin%40wop.domain/ | admin at WOP.DOMAIN ] .COM: trustdomain_find(u'domain.com', None, all=False, raw=False, version=u'2.156', pkey_only=False): SUCCESS
[Thu Nov 24 13:45:16.662862 2016] [:error] [pid 9123] ipa: INFO: 401 Unauthorized: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Cannot contact any KDC for realm 'WOP.DOMAIN.COM)
I can't understand the problem.
On AD side we create a trust certifiacte as explained hear:
[ http://www.freeipa.org/page/Active_Directory_trust_setup | http://www.freeipa.org/page/Active_Directory_trust_setup ]
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161124/7e3d1d04/attachment.htm>
More information about the Freeipa-users
mailing list