Hello,I am working on setting up FreeIPA with AD integration and seem to be running into an issue. Its possible that I am also doing something wrong. I am setting it up to talk to MS Windows Server 2012r2. Following directions on https://www.freeipa.org/page/Active_Directory_trust_setup%C2%A0 I have not edited the /etc/krb5.conf ( I figured that needed to happen on the client machines.) I am actually at this step:https://www.freeipa.org/page/Active_Directory_trust_setup#Create_external_an...
I am getting the following error: [andrew.meyer@freeipa01 ~]$ sudo ipa group-add-member ad_admins_external --external 'MEYER-AD\Domain Admins'[member user]: [member group]: Group name: ad_admins_external Description: ad.meyer.local admins external map External member: S-1-5-21-2117027177-2554619188-4034396183-512, S-1-5-21-2117027177-2554619188-4034396183-1106 Member users: andrew.meyer Member groups: ad_admins Member of groups: ad_admins, ipausers Indirect Member groups: ad_admins_external Failed members: member user: member group: MEYER-AD\Domain Admins: invalid 'trusted domain object': no trusted domain matched the specified flat name-------------------------Number of members added 0-------------------------[andrew.meyer@freeipa01 ~]$ What am I doing wrong?
On ma, 22 heinä 2019, Andrew Meyer via FreeIPA-users wrote:
Hello, I am working on setting up FreeIPA with AD integration and seem to be running into an issue. Its possible that I am also doing something wrong. I am setting it up to talk to MS Windows Server 2012r2. Following directions on https://www.freeipa.org/page/Active_Directory_trust_setup%C2%A0 I have not edited the /etc/krb5.conf ( I figured that needed to happen on the client machines.)
Please use official documentation instead. The page above was written quite a few years ago by test engineers to help themselves to get through various test scenarios. You are better to use https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
I am actually at this step: https://www.freeipa.org/page/Active_Directory_trust_setup#Create_external_an... I am getting the following error: [andrew.meyer@freeipa01 ~]$ sudo ipa group-add-member ad_admins_external --external 'MEYER-AD\Domain Admins' [member user]: [member group]: Group name: ad_admins_external Description: ad.meyer.local admins external map External member: S-1-5-21-2117027177-2554619188-4034396183-512, S-1-5-21-2117027177-2554619188-4034396183-1106 Member users: andrew.meyer Member groups: ad_admins Member of groups: ad_admins, ipausers Indirect Member groups: ad_admins_external Failed members: member user: member group: MEYER-AD\Domain Admins: invalid 'trusted domain object': no trusted domain matched the specified flat name
This particular error message tells that there is no a trust to AD with 'MEYER-AD' as its NetBIOS name.
It might be that the trust wasn't established successfully, thus it is not possible to use it to resolve users.
Start with 'ipa trust-find' output.
Getting this: [andrew.meyer@freeipa01 ~]$ sudo ipa trust-find ---------------1 trust matched--------------- Realm name: ad.meyer.local Domain NetBIOS name: MEYERAD Domain Security Identifier: S-1-5-21-1219070868-1303614073-2179474410 Trust type: Active Directory domain----------------------------Number of entries returned 1----------------------------[andrew.meyer@freeipa01 ~]$
On Monday, July 22, 2019, 10:26:29 AM CDT, Alexander Bokovoy abokovoy@redhat.com wrote:
On ma, 22 heinä 2019, Andrew Meyer via FreeIPA-users wrote:
Hello, I am working on setting up FreeIPA with AD integration and seem to be running into an issue. Its possible that I am also doing something wrong. I am setting it up to talk to MS Windows Server 2012r2. Following directions on https://www.freeipa.org/page/Active_Directory_trust_setup%C2%A0 I have not edited the /etc/krb5.conf ( I figured that needed to happen on the client machines.)
Please use official documentation instead. The page above was written quite a few years ago by test engineers to help themselves to get through various test scenarios. You are better to use https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
I am actually at this step: https://www.freeipa.org/page/Active_Directory_trust_setup#Create_external_an... I am getting the following error: [andrew.meyer@freeipa01 ~]$ sudo ipa group-add-member ad_admins_external --external 'MEYER-AD\Domain Admins' [member user]: [member group]: Group name: ad_admins_external Description: ad.meyer.local admins external map External member: S-1-5-21-2117027177-2554619188-4034396183-512, S-1-5-21-2117027177-2554619188-4034396183-1106 Member users: andrew.meyer Member groups: ad_admins Member of groups: ad_admins, ipausers Indirect Member groups: ad_admins_external Failed members: member user: member group: MEYER-AD\Domain Admins: invalid 'trusted domain object': no trusted domain matched the specified flat name
This particular error message tells that there is no a trust to AD with 'MEYER-AD' as its NetBIOS name.
It might be that the trust wasn't established successfully, thus it is not possible to use it to resolve users.
Start with 'ipa trust-find' output.
So the name is MEYERAD but you typed MEYER-AD. Remove the dash from your earlier command and it should work.
John
On 22 Jul 2019, at 17:48, Andrew Meyer via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Getting this:
[andrew.meyer@freeipa01 ~]$ sudo ipa trust-find
1 trust matched
Realm name: ad.meyer.local Domain NetBIOS name: MEYERAD Domain Security Identifier: S-1-5-21-1219070868-1303614073-2179474410 Trust type: Active Directory domain
Number of entries returned 1
[andrew.meyer@freeipa01 ~]$
On Monday, July 22, 2019, 10:26:29 AM CDT, Alexander Bokovoy abokovoy@redhat.com wrote:
On ma, 22 heinä 2019, Andrew Meyer via FreeIPA-users wrote:
Hello, I am working on setting up FreeIPA with AD integration and seem to be running into an issue. Its possible that I am also doing something wrong. I am setting it up to talk to MS Windows Server 2012r2. Following directions on https://www.freeipa.org/page/Active_Directory_trust_setup%C2%A0 https://www.freeipa.org/page/Active_Directory_trust_setup%C2%A0 I have not edited the /etc/krb5.conf ( I figured that needed to happen on the client machines.)
Please use official documentation instead. The page above was written quite a few years ago by test engineers to help themselves to get through various test scenarios. You are better to use https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm... https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/windows_integration_guide/index
I am actually at this step: https://www.freeipa.org/page/Active_Directory_trust_setup#Create_external_an... https://www.freeipa.org/page/Active_Directory_trust_setup#Create_external_and_POSIX_groups_for_trusted_domain_users I am getting the following error: [andrew.meyer@freeipa01 mailto:andrew.meyer@freeipa01 ~]$ sudo ipa group-add-member ad_admins_external --external 'MEYER-AD\Domain Admins' [member user]: [member group]: Group name: ad_admins_external Description: ad.meyer.local admins external map External member: S-1-5-21-2117027177-2554619188-4034396183-512, S-1-5-21-2117027177-2554619188-4034396183-1106 Member users: andrew.meyer Member groups: ad_admins Member of groups: ad_admins, ipausers Indirect Member groups: ad_admins_external Failed members: member user: member group: MEYER-AD\Domain Admins: invalid 'trusted domain object': no trusted domain matched the specified flat name
This particular error message tells that there is no a trust to AD with 'MEYER-AD' as its NetBIOS name.
It might be that the trust wasn't established successfully, thus it is not possible to use it to resolve users.
Start with 'ipa trust-find' output.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On ma, 22 heinä 2019, Andrew Meyer wrote:
0;47m Getting this: [andrew.meyer@freeipa01 ~]$ sudo ipa trust-find
1 trust matched
Realm name: ad.meyer.local Domain NetBIOS name: MEYERAD Domain Security Identifier: S-1-5-21-1219070868-1303614073-2179474410 Trust type: Active Directory domain
Number of entries returned 1
So, you should be using 'MEYERAD\Domain Admins' then.
Once this is done I should be able to do id user.name and get the Active Directory user correct? On Monday, July 22, 2019, 11:03:10 AM CDT, Alexander Bokovoy abokovoy@redhat.com wrote:
On ma, 22 heinä 2019, Andrew Meyer wrote:
0;47m Getting this: [andrew.meyer@freeipa01 ~]$ sudo ipa trust-find --------------- 1 trust matched --------------- Realm name: ad.meyer.local Domain NetBIOS name: MEYERAD Domain Security Identifier: S-1-5-21-1219070868-1303614073-2179474410 Trust type: Active Directory domain ---------------------------- Number of entries returned 1 ----------------------------
So, you should be using 'MEYERAD\Domain Admins' then.
On ma, 22 heinä 2019, Andrew Meyer via FreeIPA-users wrote:
Once this is done I should be able to do id user.name and get the Active Directory user correct?
Resolving users is unrelated to mapping groups. You should be able to resolve users already.
[andrew.meyer@freeipa01 ~]$ id james.kirkid: james.kirk: no such user[andrew.meyer@freeipa01 ~]$ id william.rikerid: william.riker: no such user[andrew.meyer@freeipa01 ~]$ Unless I neec to use ipa users-find command. On Monday, July 22, 2019, 11:47:12 AM CDT, Alexander Bokovoy abokovoy@redhat.com wrote:
On ma, 22 heinä 2019, Andrew Meyer via FreeIPA-users wrote:
Once this is done I should be able to do id user.name and get the Active Directory user correct?
Resolving users is unrelated to mapping groups. You should be able to resolve users already.
On Mon, Jul 22, 2019 at 6:51 PM Andrew Meyer via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
[andrew.meyer@freeipa01 ~]$ id james.kirk id: james.kirk: no such user [andrew.meyer@freeipa01 ~]$ id william.riker id: william.riker: no such user [andrew.meyer@freeipa01 ~]$
Try "id user@DOMAIN" like this: id james.kirk@AD.MEYER.LOCAL
Unless I neec to use ipa users-find command.
On Monday, July 22, 2019, 11:47:12 AM CDT, Alexander Bokovoy abokovoy@redhat.com wrote:
On ma, 22 heinä 2019, Andrew Meyer via FreeIPA-users wrote:
Once this is done I should be able to do id user.name and get the Active Directory user correct?
Resolving users is unrelated to mapping groups. You should be able to resolve users already.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Excellent thank you! On Monday, July 22, 2019, 12:01:53 PM CDT, François Cami fcami@redhat.com wrote:
On Mon, Jul 22, 2019 at 6:51 PM Andrew Meyer via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
[andrew.meyer@freeipa01 ~]$ id james.kirk id: james.kirk: no such user [andrew.meyer@freeipa01 ~]$ id william.riker id: william.riker: no such user [andrew.meyer@freeipa01 ~]$
Try "id user@DOMAIN" like this: id james.kirk@AD.MEYER.LOCAL
Unless I neec to use ipa users-find command.
On Monday, July 22, 2019, 11:47:12 AM CDT, Alexander Bokovoy abokovoy@redhat.com wrote:
On ma, 22 heinä 2019, Andrew Meyer via FreeIPA-users wrote:
Once this is done I should be able to do id user.name and get the Active Directory user correct?
Resolving users is unrelated to mapping groups. You should be able to resolve users already.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
What does the AD Trust list in IPA show for the AD domain you should be using? The same one? Or a different notation?
John
On 22 Jul 2019, at 17:13, Andrew Meyer via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hello, I am working on setting up FreeIPA with AD integration and seem to be running into an issue. Its possible that I am also doing something wrong.
I am setting it up to talk to MS Windows Server 2012r2. Following directions on https://www.freeipa.org/page/Active_Directory_trust_setup
I have not edited the /etc/krb5.conf ( I figured that needed to happen on the client machines.)
I am actually at this step: https://www.freeipa.org/page/Active_Directory_trust_setup#Create_external_an...
I am getting the following error:
[andrew.meyer@freeipa01 ~]$ sudo ipa group-add-member ad_admins_external --external 'MEYER-AD\Domain Admins' [member user]: [member group]: Group name: ad_admins_external Description: ad.meyer.local admins external map External member: S-1-5-21-2117027177-2554619188-4034396183-512, S-1-5-21-2117027177-2554619188-4034396183-1106 Member users: andrew.meyer Member groups: ad_admins Member of groups: ad_admins, ipausers Indirect Member groups: ad_admins_external Failed members: member user: member group: MEYER-AD\Domain Admins: invalid 'trusted domain object': no trusted domain matched the specified flat name
Number of members added 0
[andrew.meyer@freeipa01 ~]$
What am I doing wrong? _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org