On pe, 01 syys 2017, PAESSENS Daniel (BCS/PSD) wrote:
I've checked on the windows part. And nothing is mentioned
overthere.
Even with adsiedit I can't find any trace of it.
Active Directory verifies three
important types of conflicts when
establishing a trust between any domains (including a forest trust which
is a trust between the two forest root domains) described in
https://msdn.microsoft.com/en-us/library/cc223787.aspx
- SID namespace
- top level names (TLNs) namespace
- NetBIOS names of the domains
For example, if you have Active Directory forest with just one forest
root domain,
example.com, and NetBIOS name AD, your IPA domain cannot be
example.com and it also cannot have NetBIOS domain name AD.
There is one more limitation, though. Given that trusted domain object
has also a counterpart as a 'machine' account in AD LDAP, and all
machine accounts must have unique names, there could be a conflict at
this level.
Say, your IPA domain's NetBIOS name is FOO. When trust is established,
there will be a machine account FOO$ in AD LDAP. If you already had FOO
machine in your AD, that would be seen as a conflict.
Unfortunately, you did not provide more details on what exactly is
there. If you would add 'log level = 100' to
/usr/share/ipa/smb.conf.empty and try to re-establish trust with 'ipa
trust-add', you'll get a lot of details in /var/log/httpd/error_log.
Send me those details off-list and I can see where it breaks.
--
/ Alexander Bokovoy