<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<p>I've been following the documentation at <a href="https://www.freeipa.org/page/Active_Directory_trust_setup" class="OWAAutoLink" id="LPlnk361023">https://www.freeipa.org/page/Active_Directory_trust_setup</a> and I was able to establish a two-way forest trust
 with Active Directory.  I'm getting stuck when mapping external AD groups into a POSIX group (the "<span>Allow access for users from AD domain to protected resources" section).</span>
</p>
<p><span><br>
</span></p>
<p><span>I've run the following commands to create and map the groups:</span></p>
<p><span></span></p>
</div>
<blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;">
<div style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<div>ipa group-add --desc='sysops admins external map' sysops_external --external</div>
</div>
<div style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<div>ipa group-add --desc='sysops admins' sysops</div>
</div>
<div style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<div>ipa group-add-member sysops_external --external 'Activedirectory.com\Domain Admins'</div>
</div>
</blockquote>
<div style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<div></div>
<div><br>
</div>
<div>The last command returns with an error "<span>no trusted domain matched the specified flat name"</span></div>
<div><span><br>
</span></div>
<div><span>In /var/log/messages I saw an error message about there not being a kerberos account for ldap/activedirectoryserver@ipaserver, so I've added each host and an ldap service for each.  Now, in /var/log/messages, I see "<span>KDC has no support for encryption
 type" when I attempt to add the group map.</span></span></div>
<div><span><br>
</span></div>
<p></p>
<p><br>
</p>
<p><span>CentOS Linux release 7.2.1511 (Core)</span></p>
<p>IPA <span>4.2.0-15.0.1.el7.centos.6.1.x86_64</span></p>
<p><br>
</p>
<p><br>
</p>
<p>This is the command I used to establish the trust:</p>
<p></p>
</div>
<blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;">
<div style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<div>ipa trust-add --type=ad <span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px;">
Activedirectory.com</span> --two-way=true --trust-secret</div>
</div>
</blockquote>
<div style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<div></div>
<div><br>
</div>
<div>When checking everything is setup things seem to be OK:</div>
</div>
<blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;">
<div style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<div>ipa trust-show "Activedirectory.com"</div>
</div>
</blockquote>
<blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;">
<blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;">
<div style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<div>  Realm name: Activedirectory.com</div>
</div>
</blockquote>
<blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;">
<div style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<div>  Domain NetBIOS name: ACTIVEDIRECTORY</div>
</div>
</blockquote>
<blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;">
<div style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<div>  Domain Security Identifier: S-1-5-21-4202716412-292079579-2462381064</div>
</div>
</blockquote>
<blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;">
<div style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<div>  Trust direction: Two-way trust</div>
</div>
</blockquote>
<blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;">
<div style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<div>  Trust type: Active Directory domain</div>
</div>
</blockquote>
</blockquote>
<blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;">
<div style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<div>ipa trustdomain-find "<span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px;">Activedirectory</span><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px;">.</span><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px;">com</span>"</div>
</div>
</blockquote>
<blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;">
<blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;">
<div style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<div>  Domain name: <span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px;">Activedirectory</span><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px;">.</span><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px;">com</span></div>
</div>
</blockquote>
<blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;">
<div style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<div>  Domain NetBIOS name: <span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px;">
ACTIVEDIRECTORY</span></div>
</div>
</blockquote>
<blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;">
<div style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<div>  Domain Security Identifier: S-1-5-21-4202716412-292079579-2462381064</div>
</div>
</blockquote>
<blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;">
<div style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<div>  Domain enabled: True</div>
</div>
</blockquote>
<blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;">
<div style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<div>----------------------------</div>
</div>
</blockquote>
<blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;">
<div style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<div>Number of entries returned 1</div>
</div>
</blockquote>
<blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;">
<div style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<div>----------------------------</div>
</div>
</blockquote>
</blockquote>
<blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;">
<div style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<div><br>
</div>
</div>
<div style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<div>
<div>ipa trust-fetch-domains "<span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px;">Activedirectory</span><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px;">.</span><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px;">com</span>"</div>
</div>
</div>
</blockquote>
<blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;">
<blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;">
<div style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<div>
<div>-------------------------------</div>
</div>
</div>
</blockquote>
<blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;">
<div style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<div>
<div>No new trust domains were found</div>
</div>
</div>
</blockquote>
<blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;">
<div style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<div>
<div>-------------------------------</div>
</div>
</div>
</blockquote>
<blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;">
<div style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<div>
<div>----------------------------</div>
</div>
</div>
</blockquote>
<blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;">
<div style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<div>
<div>Number of entries returned 0</div>
</div>
</div>
</blockquote>
<blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;">
<div style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<div>
<div>----------------------------</div>
</div>
</div>
</blockquote>
</blockquote>
<div style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<div></div>
<div id="Signature">
<div name="divtagdefaultwrapper" style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:; margin:0">
<div style="font-family:Tahoma; font-size:13px">
<div style="font-family:Tahoma; font-size:13px">
<div style="font-family:Tahoma; font-size:13px">
<div style="font-family:Tahoma; font-size:13px">
<div style="margin:0"></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>