[Freeipa-users] Problems establishing a trust with AD

Alexander Bokovoy abokovoy at redhat.com
Wed Aug 20 21:19:58 UTC 2014 

On Wed, 20 Aug 2014, Baird, Josh wrote:
>Hi,
>
>I'm attempting to establish a trust between FreeIPA 3.3 and AD 2008 R2.
>My IPA domain consists of two servers (one master and one replica).  I
>have verified that DNS is configured properly as the IPA domain can
>resolve AD and the AD domain can resolve IPA hosts.
>
>On each IPA server, I performed the following:
>
>$ yum install ipa-server-trust-ad samba-client
>$ ipa-adtrust-install
>
>On the main IPA server, I executed the following:
>
>$ ipa trust-add --admin administrator --password
>
>The output of this command suggests that establishing the trust was successful:
>
>-------------------------------------------------
>Added Active Directory trust for realm "test.lan"
>-------------------------------------------------
>  Realm name: test.lan
>  Domain NetBIOS name: TEST
>  Domain Security Identifier: S-1-5-21-2234298371-4032204425-1996979893
>  SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12,
>                          S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
>  SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12,
>                          S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
>  Trust direction: Two-way trust
>  Trust type: Active Directory domain
>  Trust status: Established and verified
>
>Additionally, I can also see the IPA domain in Active Directory Domains
>and Trusts on the Windows side.  Next, I successfully requested a
>service ticket for the AD domain:
>
>$ kvno cifs/vmxxenttest01.test.lan at TEST.LAN
>cifs/vmxxenttest01.test.lan at TEST.LAN: kvno = 4
>$ klist | grep TEST
>08/20/2014 11:03:47  08/20/2014 21:03:47  cifs/vmxxenttest01.test.lan at TEST.LAN
>08/20/2014 11:03:47  08/21/2014 11:00:30  krbtgt/TEST.LAN at QA-UNIX.DOMAIN.COM
All is good. At this point, if kvno as IPA user works against AD DC, you
don't need to perform validation from AD side.

>Next, I modified /etc/krb5.conf on both IDM servers (master and
>replica) and added the following to the [realms] section and restarted
>krb5kdc:
>
>auth_to_local = RULE:[1:$1@$0](^.*@TEST.LAN$)s/@TEST.LAN/@TEST.LAN/
>auth_to_local = DEFAULT
The AD domain rule is a bit wrong, the last part (replacement) should be
low-cased.

 auth_to_local = RULE:[1:$1@$0](^.*@TEST.LAN$)s/@TEST.LAN/@test.lan/

>I also modified /etc/sssd/sssd.conf and added "pac" to services and "subdomains_provider = ipa."
Did you restart sssd at this point?

Did you try

   getent passwd administrator at test.lan

   or

   id administrator at test.lan
?

>
>Next, I tried to validate the trust from the AD side using the
>"Validate" button in AD Domains and Trusts.  Once I click the
>'Vaildate' button, I choose "Yes, validate the incoming trust" and
>specify the IPA admin account and password and get notified that the
>trust cannot be validated due to "There are currently no logon servers
>available to service the logon requests."  It suggests that I reset the
>trust password, and I accept, but again it fails due to no logon
>servers.
>
>I don't really see anything in the krb5kdc.log logs on the IPA servers.
>Any ideas how to further troubleshoot this?
As I said, if kvno succeeds as IPA user against AD services, no
additional validation from AD side is needed. Since you did establish
trust using AD admin credentials, IPA did issue request to validate
trust automatically.

You may re-establish trust if you think your actions on AD side broke
something in the trust objects in AD.

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list