4.2 is a one-way trust, by design. http://www.freeipa.org/page/V4/One-way_trust
-Jake From: "Denis Müller" <[email protected]> To: "freeipa-users" <[email protected]> Sent: Thursday, November 24, 2016 7:48:50 AM Subject: [Freeipa-users] Can't establish a trust to AD Hello Guys, we need help to establish a trust from freeipa to ad. Ad users should be able to access to linux environment, but linux users not to ad environment. our setup: AD Domain: domain.com, there we have two AD-Controllers installed wird Windows Server 2008. All users are managed here. IPA Domain: wop.domain.com. We would like to sync users from ad to a specific group to provide user-management in linux environments. In this subdomain we have 2 ipa-servers: ipa01.wop.domain.com and ipa02.domain.com Ipa version on both servers is: VERSION: 4.2.0, API_VERSION: 2.156 Both serves have "ipa-server-trust-ad" installed. [ [ mailto:root@ipa01 | root@ipa01 ] ~]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING pki-tomcatd Service: RUNNING smb Service: RUNNING winbind Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful kinit admin works as expected ! DNS konfiguration: IPA-Side: [ [ mailto:root@ipa01 | root@ipa01 ] ~]# dig +short -t SRV _kerberos._udp.wop.domain.com 0 100 88 ipa02.wop.domain.com. 0 100 88 ipa01.wop.domain.com. [ mailto:root@ipa01 | root@ipa01 ] ~]# dig +short -t TXT _kerberos.wop.domain.com "WOP.DOMAIN.COM" [ [ mailto:root@ipa01 | root@ipa01 ] ~]# dig +short -t SRV _kerberos._udp.dc._msdcs.wop.domain.com. 0 100 88 ipa02.wop.domain.com. 0 100 88 ipa01.wop.domain.com. [ [ mailto:root@ipa01 | root@ipa01 ] ~]# dig +short -t SRV _kerberos._tcp.dc._msdcs.wop.domain.com. 0 100 88 ipa01.wop.domain.com. 0 100 88 ipa02.wop.domain.com. AD-Side: C:\Users\demueller>nslookup Standardserver: dc2.domain.com Address: 192.168.3.9 > set type=SRV > _kerberos._udp.wop.domain.com. Server: dc2.domain.com Address: 192.168.3.9 Nicht autorisierende Antwort: _kerberos._udp.wop.domain.com SRV service location: priority = 0 weight = 100 port = 88 svr hostname = ipa01.wop.domainc.om _kerberos._udp.wop.rto.de SRV service location: priority = 0 weight = 100 port = 88 svr hostname = ipa02.wop.domain.com ipa01.wop.domain.com internet address = 192.168.11.75 ipa02.wop.domainc.om internet address = 192.168.11.106 DNS looks fine, firewall too. Providing trust:ipa trust-add --type=ad rto.de --trust-secret --server=dc2.domain.com As a Result: [ [ mailto:root@ipa01 | root@ipa01 ] ~]# ipa trustdomain-find domain.com Domain name: domain.com Domain NetBIOS name: DOMAIN (It should be DC2, right?) Domain Security Identifier: S-1-5-21-746137067-2052111302-1801674531 Domain enabled: True ------------------------------------- ipa trust-fetch-domain domain.com Logging: [Thu Nov 24 13:43:44.167918 2016] [:error] [pid 9123] ipa: INFO: [jsonserver_session] [ file://admin%40wop.domain/ | [email protected] ] .COM: ping(): SUCCESS [Thu Nov 24 13:43:44.306718 2016] [:error] [pid 9124] ipa: INFO: [jsonserver_session] [ file://admin%40wop.domain/ | [email protected] ] .COM: trustdomain_find(u'domain.com', None, all=False, raw=False, version=u'2.156', pkey_only=False): SUCCESS [Thu Nov 24 13:45:16.662862 2016] [:error] [pid 9123] ipa: INFO: 401 Unauthorized: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Cannot contact any KDC for realm 'WOP.DOMAIN.COM) I can't understand the problem. On AD side we create a trust certifiacte as explained hear: [ http://www.freeipa.org/page/Active_Directory_trust_setup | http://www.freeipa.org/page/Active_Directory_trust_setup ] -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
