On 20 Jul 2018, at 17:51, Rene Trippen via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
Hi there,
I´ve got a external trust established between the ipa server and a AD
domain (child of parent)
ipa trust-add --type=ad
subdomain.main.corp.com --external=true
Active Directory domain administrator: ipatrust0
Active Directory domain administrator's password:
-------------------------------------------------------------------------
Added Active Directory trust for realm "subdomain.main.corp.com"
-------------------------------------------------------------------------
Realm name:
subdomain.main.corp.com
Domain NetBIOS name: SUBDOMAIN
Domain Security Identifier: S-1-5-21-653292258-51847207-622671684
Trust direction: Trusting forest
Trust type: Non-transitive external trust to a domain in another
Active Directory forest
Trust status: Established and verified
But, when I try to get users or groups from the AD, nothing is returned
getent passwd user1(a)subdomain.main.corp.com -> nothing
wbinfo -n "SUBDOMAIN\user1"
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name SUBDOMAIN\user1
wbinfo -m
BUILTIN
IPA
SUBDOMAIN
ipa dns-update-system-records --dry-run
IIPA DNS records:
_kerberos-master._tcp.ipa.main.corp.com. 86400 IN SRV 0 100 88
ipa1.ipa.main.corp.com.
_kerberos-master._udp.ipa.main.corp.com. 86400 IN SRV 0 100 88
ipa1.ipa.main.corp.com.
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ipa.main.corp.com.
86400 IN SRV 0 100 88
ipa1.ipa.main.corp.com.
_kerberos._tcp.dc._msdcs.ipa.main.corp.com. 86400 IN SRV 0 100 88
ipa1.ipa.main.corp.com.
_kerberos._tcp.ipa.main.corp.com. 86400 IN SRV 0 100 88
ipa1.ipa.main.corp.com.
_kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.ipa.main.corp.com.
86400 IN SRV 0 100 88
ipa1.ipa.main.corp.com.
_kerberos._udp.dc._msdcs.ipa.main.corp.com. 86400 IN SRV 0 100 88
ipa1.ipa.main.corp.com.
_kerberos._udp.ipa.main.corp.com. 86400 IN SRV 0 100 88
ipa1.ipa.main.corp.com.
_kerberos.ipa.main.corp.com. 86400 IN TXT "IPA.MAIN.CORP.COM"
_kpasswd._tcp.ipa.main.corp.com. 86400 IN SRV 0 100 464
ipa1.ipa.main.corp.com.
_kpasswd._udp.ipa.main.corp.com. 86400 IN SRV 0 100 464
ipa1.ipa.main.corp.com.
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ipa.main.corp.com.
86400 IN SRV 0 100 389
ipa1.ipa.main.corp.com.
_ldap._tcp.dc._msdcs.ipa.main.corp.com. 86400 IN SRV 0 100 389
ipa1.ipa.main.corp.com.
_ldap._tcp.ipa.main.corp.com. 86400 IN SRV 0 100 389
ipa1.ipa.main.corp.com.
_ntp._udp.ipa.main.corp.com. 86400 IN SRV 0 100 123
ipa1.ipa.main.corp.com.
ipa-ca.ipa.main.corp.com. 86400 IN A 10.1.17.123
The IPA server and the AD machines are in the same net, without
firewall segemenatation
The ADs are 2008R2
The IPA Server is a CentOS (latest), got following ipa version installed:
ipa-common-4.5.4-10.el7.centos.3.noarch
ipa-server-trust-ad-4.5.4-10.el7.centos.3.x86_64
ipa-client-4.5.4-10.el7.centos.3.x86_64
ipa-server-dns-4.5.4-10.el7.centos.3.noarch
ipa-server-common-4.5.4-10.el7.centos.3.noarch
ipa-client-common-4.5.4-10.el7.centos.3.noarch
ipa-server-4.5.4-10.el7.centos.3.x86_64
I can provide you tons of logs, but I don´t know where to start.
Best regards,
Rene
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...