On to, 24 marras 2016, Denis Müller wrote:
Hello Guys, we need help to establish a trust from freeipa to ad. Ad
users should be able to access to linux environment, but linux users
not to ad environment.
our setup:
AD Domain:
domain.com, there we have two AD-Controllers installed wird Windows
Server 2008. All users are managed here.
IPA Domain:
wop.domain.com. We would like to sync users from ad to a specific group
to provide user-management in linux environments. In this subdomain we
have 2 ipa-servers: ipa01.wop.domain.com and ipa02.domain.com
Ipa version on both servers is: VERSION: 4.2.0, API_VERSION: 2.156
Both serves have "ipa-server-trust-ad" installed.
[root@ipa01<mailto:root@ipa01> ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
smb Service: RUNNING
winbind Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
kinit admin works as expected !
DNS konfiguration:
IPA-Side:
[root@ipa01<mailto:root@ipa01> ~]# dig +short -t SRV
_kerberos._udp.wop.domain.com
0 100 88 ipa02.wop.domain.com.
0 100 88 ipa01.wop.domain.com.
root@ipa01<mailto:root@ipa01> ~]# dig +short -t TXT _kerberos.wop.domain.com
"WOP.DOMAIN.COM"
[root@ipa01<mailto:root@ipa01> ~]# dig +short -t SRV
_kerberos._udp.dc._msdcs.wop.domain.com.
0 100 88 ipa02.wop.domain.com.
0 100 88 ipa01.wop.domain.com.
[root@ipa01<mailto:root@ipa01> ~]# dig +short -t SRV
_kerberos._tcp.dc._msdcs.wop.domain.com.
0 100 88 ipa01.wop.domain.com.
0 100 88 ipa02.wop.domain.com.
AD-Side:
C:\Users\demueller>nslookup
Standardserver: dc2.domain.com
Address: 192.168.3.9
set type=SRV
_kerberos._udp.wop.domain.com.
Server: dc2.domain.com
Address: 192.168.3.9
Nicht autorisierende Antwort:
_kerberos._udp.wop.domain.com SRV service location:
priority = 0
weight = 100
port = 88
svr hostname = ipa01.wop.domainc.om
_kerberos._udp.wop.rto.de SRV service location:
priority = 0
weight = 100
port = 88
svr hostname = ipa02.wop.domain.com
ipa01.wop.domain.com internet address = 192.168.11.75
ipa02.wop.domainc.om internet address = 192.168.11.106
DNS looks fine, firewall too.
Providing trust:ipa trust-add --type=ad rto.de --trust-secret
--server=dc2.domain.com
As a Result:
[root@ipa01<mailto:root@ipa01> ~]# ipa trustdomain-find domain.com
Domain name: domain.com
Domain NetBIOS name: DOMAIN (It should be DC2, right?)
Domain Security Identifier: S-1-5-21-746137067-2052111302-1801674531
Domain enabled: True
-------------------------------------
ipa trust-fetch-domain domain.com
Logging:
[Thu Nov 24 13:43:44.167918 2016] [:error] [pid 9123] ipa: INFO: [jsonserver_session]
[email protected]<file://[email protected]>.COM: ping(): SUCCESS
[Thu Nov 24 13:43:44.306718 2016] [:error] [pid 9124] ipa: INFO: [jsonserver_session]
[email protected]<file://[email protected]>.COM: trustdomain_find(u'domain.com',
None, all=False, raw=False, version=u'2.156', pkey_only=False): SUCCESS
[Thu Nov 24 13:45:16.662862 2016] [:error] [pid 9123] ipa: INFO: 401
Unauthorized: Insufficient access: SASL(-1): generic failure: GSSAPI
Error: Unspecified GSS failure. Minor code may provide more
information (Cannot contact any KDC for realm 'WOP.DOMAIN.COM)
I can't understand the problem.
It looks like IPA master's Kerberos configuration does not allow to
resolve KDCs of unknown realms via DNS.
What do you have in /etc/krb5.conf in the [libdefaults] section:
dns_lookup_realm = false
dns_lookup_kdc = false
or
dns_lookup_realm = true
dns_lookup_kdc = true
?
See manual page for krb5.conf for details on these options.
On AD side we create a trust certifiacte as explained hear:
http://www.freeipa.org/page/Active_Directory_trust_setup
I'm not sure what do you mean by 'trust certificate', there is no such
thing and no such requirement.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
