[Freeipa-users] add trust between FreeIPA and Samba AD DC
Jakub Hrozek
jhrozek at redhat.com
Fri Apr 28 18:34:06 UTC 2017
On Fri, Apr 28, 2017 at 07:27:20PM +0200, Tiemen Ruiten wrote:
> Hello Alexander, list,
>
> I did get further by specifying --external=true in the ipa trust-add
> command, it works now for *both* the Windows and the Samba domain:
>
> ipa trust-add office.rdmedia.com --type=ad --admin Administrator --password
> --two-way=false --external=true
>
> IPA reports the trust is established successfully and I can also see it in
> Active Directory Domains and Trusts. However, adding users/groups to an
> external group fails:
>
> [root at ipa-ams-01 tiemen]# ipa group-add-member office_admins_external
> --external "OFFICE\domain admins"
> [member user]:
> [member group]:
> Group name: office_admins_external
> Description: office.rdmedia.com admins external map
> Failed members:
> member user:
> member group: *OFFICE\domain admins: trusted domain object not found*
> -------------------------
> Number of members added 0
> -------------------------
Domain Admins is a domain-local group typically. I would advise against
using those for cross-forest trust memberships in general.
Can you also check if you can resolve objects from the trusted AD/Samba
domain? Try:
getent passwd administrator at office.rdmedia.com
for example.
More information about the Freeipa-users
mailing list