[Freeipa-users] Trust is successful and getting error while creating groups.
Alexander Bokovoy
abokovoy at redhat.com
Thu Mar 5 05:52:38 UTC 2015
On Thu, 05 Mar 2015, Ben .T.George wrote:
>Hi
>
>i have re-installed everything . my current versions are Centos 7 with IPA
>4.1
>
>i followed this tutorial:
>http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup
>
>when i fetch , it went successful:
>
>*[root at kwtpocpbis01 ~]# ipa trustdomain-find "infra.com <http://infra.com>"*
>* Domain name: infra.com <http://infra.com>*
>* Domain NetBIOS name: INFRA*
>* Domain Security Identifier: S-1-5-21-191287045-4012216658-3592112898*
>* Domain enabled: True*
>*----------------------------*
>*Number of entries returned 1*
>*----------------------------*
>*[root at kwtpocpbis01 ~]# ipa trustdomain-find "infra.com <http://infra.com>"*
>* Domain name: infra.com <http://infra.com>*
>* Domain NetBIOS name: INFRA*
>* Domain Security Identifier: S-1-5-21-191287045-4012216658-3592112898*
>* Domain enabled: True*
>*----------------------------*
>*Number of entries returned 1*
>*----------------------------*
>
>when i gone through "Allow access for users from AD domain to protected
>resources", i am getting errors,
>
>
>*[root at kwtpocpbis01 ~]# ipa group-add --desc='infra.com <http://infra.com>
>users external map' ad_users_external --external*
>*-------------------------------*
>*Added group "ad_users_external"*
>*-------------------------------*
>* Group name: ad_users_external*
>* Description: infra.com <http://infra.com> users external map*
>
>*[root at kwtpocpbis01 ~]# ipa group-add --desc='infra.com <http://infra.com>
>users' ad_users*
>*----------------------*
>*Added group "ad_users"*
>*----------------------*
>* Group name: ad_users*
>* Description: infra.com <http://infra.com> users*
>* GID: 643400005*
>
>*[root at kwtpocpbis01 ~]# ipa group-add-member ad_users_external --external
>'INFRA\Domain Users'*
>*[member user]:*
>*[member group]:*
>* Group name: ad_users_external*
>* Description: infra.com <http://infra.com> users external map*
>* Failed members:*
>* member user:*
>* member group: INFRA\Domain Users: trusted domain object not found*
>*-------------------------*
>*Number of members added 0*
>*-------------------------*
>
>*[root at kwtpocpbis01 ~]# ipa group-add-member ad_users --groups
>ad_users_external*
>* Group name: ad_users*
>* Description: infra.com <http://infra.com> users*
>* GID: 643400005*
>* Member groups: ad_users_external*
>*-------------------------*
>*Number of members added 1*
>*-------------------------*
>
>please help me to solve this issue:
>
>below error is getting on httpd/error_log while trying : *ipa
>group-add-member ad_users_external --external 'INFRA\Domain Users'*
>
>*[Thu Mar 05 11:36:37.371594 2015] [:error] [pid 4090] ipa: WARNING: Search
>on AD DC kwtipaad001.infra.com:3268 <http://kwtipaad001.infra.com:3268>
>failed with: Insufficient access: SASL(-1): generic failure: GSSAPI Error:
>Unspecified GSS failure. Minor code may provide more information (Ticket
>not yet valid)*
>*[Thu Mar 05 11:36:37.374280 2015] [:error] [pid 4090] ipa: INFO:
>[jsonserver_kerb] admin at SOLARIS.LOCAL:
>group_add_member(u'ad_users_external', ipaexternalmember=(u'INFRA\\\\Domain
>Users',), all=False, raw=False, version=u'2.113', no_members=False):
>SUCCESS*
OK, "Ticket not yet valid" is time synchronization issue -- AD DC has
time behind IPA DC. Check time and time zone settings.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list