[Freeipa-users] Error trying to use trusted AD objects: trusted domain object not found
Alexander Bokovoy
abokovoy at redhat.com
Sun May 14 08:19:23 UTC 2017
On su, 14 touko 2017, Patrick Hemmer wrote:
>I'm working on spinning up a FreeIPA server with an AD trust. I've
>followed the official guide
>(https://www.freeipa.org/page/Active_Directory_trust_setup), and
>everything works up to the point of trying to add external members to
>the group. Whenever I try I get:
>
># ipa group-add-member ad_admins_external --external 'CHEWY\Domain Admins'
>[member user]:
>[member group]:
> Group name: ad_admins_external
> Description: ad_domain admins external map
> Failed members:
> member user:
> member group: CHEWY\Domain Admins: trusted domain object not found
>-------------------------
>Number of members added 0
>-------------------------
>
>
>I turned up the debugging to 100, re-established the trust, and tried to
>perform the group-add-member again. Logs have uploaded the logs here:
>https://s3.amazonaws.com/phemmer-misc/freeipa-logs.tar.gz
>I'm just testing the procedure on a couple local development VMs, so
>there's nothing sensitive in there.
>
>Confusingly, according to the httpd log the operation was successful:
>[Sun May 14 01:49:24.171867 2017] [:error] [pid 23688] ipa: INFO:
>[jsonserver_session] admin at LOCAL:
>group_add_member/1(u'ad_admins_external',
>ipaexternalmember=(u'CHEWY\\\\Domain Admins',), version=u'2.213'): SUCCESS
>
>I'm not sure where the issue here lies. So any insight would be appreciated.
The issue is in your choice of IPA domain name: local. This is not going
to work with AD -- as you can see, there are subtle issues. Even though
AD DC accepts a trust to LOCAL forest, it cannot really operate it
internally, thus even looking up forest topology fails at the point when
IPA framework attempts to authenticate. See [1] for list of limitations
in pure Active Directory for single-label domains.
[1] https://support.microsoft.com/en-us/help/300684/deployment-and-operation-of-active-directory-domains-that-are-configured-by-using-single-label-dns-names
We don't recommend using single-label DNS configurations. Even in a lab
environment they are source of various issues.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list