On Tue, Nov 21, 2017 at 01:55:31PM +0100, Henrik Stigendal via FreeIPA-users wrote: > Hello everyone, > > I’m new to this and are trying to setup a working trust against an AD > forrest, I seem to have a working trust but when I try to reference external > groups (or users) I get: > > # ipa group-add-member ad_users_external --external "AD2\Domain Users" > [member user]: > [member group]: > Group name: ad_users_external > Description: AD users external map > Failed members: > member user: > member group: AD2\Domain Users: trusted domain object not found > ------------------------- > Number of members added 0 > -------------------------
I think the lookup goes eventually from the ipa command line framework to SSSD, does lookup through the usual SSSD channels (getent passwd username@domain) work? > > I enable some logging and last in the mail is the output there from the > command above, any suggestions what could cause this? Current version of IPA > is 4.5. > > Regards > Henrik > > Tue Nov 21 13:10:42.675713 2017] [:warn] [pid 38221] [client > 192.168.6.82:34714] failed to set perms (3140) on file > (/var/run/ipa/ccaches/[email protected])!, referer: > https://ipaserver.idm.test.net/ipa/xml > string_to_sid: SID AD2\Domain Users is not in a valid format btw did you try also a lookup of a name qualified with the full AD domain name (i.e. [email protected] instead of ad\\username)? I wonder if just the flatname is acting up.. > lpcfg_load: refreshing parameters from /usr/share/ipa/smb.conf.empty > Processing section "[global]" > INFO: Current debug levels: > all: 11 > tdb: 11 > printdrivers: 11 > lanman: 11 > smb: 11 > rpc_parse: 11 > rpc_srv: 11 > rpc_cli: 11 > passdb: 11 > sam: 11 > auth: 11 > winbind: 11 > vfs: 11 > idmap: 11 > quota: 11 > acls: 11 > locking: 11 > msdfs: 11 > dmapi: 11 > registry: 11 > scavenger: 11 > dns: 11 > ldb: 11 > tevent: 11 > pm_process() returned Yes > added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 > netmask=255.255.255.0 > added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 > netmask=255.255.255.0 > added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 > netmask=255.255.255.0 > added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 > netmask=255.255.255.0 > added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 > netmask=255.255.255.0 > added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 > netmask=255.255.255.0 > added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 > netmask=255.255.255.0 > added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 > netmask=255.255.255.0 > finddcs: searching for a DC by DNS domain ad2.test.net > finddcs: looking for SRV records for _ldap._tcp.ad2.test.net > resolve_lmhosts: Attempting lmhosts lookup for name > _ldap._tcp.ad2.test.net<0x0> > getlmhostsent: lmhost entry: 127.0.0.1 localhost > ads_dns_lookup_srv: 2 records returned in the answer section. > ads_dns_parse_rr_srv: Parsed adserver.ad2.test.net [0, 100, 389] > ads_dns_parse_rr_srv: Parsed adserver.ad2.test.net [0, 100, 389] > Addrs = 192.168.5.158@389/adserver,192.168.5.104@389/adserver > finddcs: DNS SRV response 0 at '192.168.5.158' > finddcs: DNS SRV response 1 at '192.168.5.104' > finddcs: performing CLDAP query on 192.168.5.158 > &response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX > command : LOGON_SAM_LOGON_RESPONSE_EX (23) > sbz : 0x0000 (0) > server_type : 0x0001f1fc (127484) > 0: NBT_SERVER_PDC > 1: NBT_SERVER_GC > 1: NBT_SERVER_LDAP > 1: NBT_SERVER_DS > 1: NBT_SERVER_KDC > 1: NBT_SERVER_TIMESERV > 1: NBT_SERVER_CLOSEST > 1: NBT_SERVER_WRITABLE > 0: NBT_SERVER_GOOD_TIMESERV > 0: NBT_SERVER_NDNC > 0: NBT_SERVER_SELECT_SECRET_DOMAIN_6 > 1: NBT_SERVER_FULL_SECRET_DOMAIN_6 > 1: NBT_SERVER_ADS_WEB_SERVICE > 1: NBT_SERVER_DS_8 > 0: NBT_SERVER_HAS_DNS_NAME > 0: NBT_SERVER_IS_DEFAULT_NC > 0: NBT_SERVER_FOREST_ROOT > domain_uuid : 63c3a477-85f9-5f01-96e8-2597a5c48978 > forest : 'ad2.test.net' > dns_domain : 'ad2.test.net' > pdc_dns_name : 'adserver.ad2.test.net' > domain_name : 'AD2' > pdc_name : 'adserver' > user_name : '' > server_site : 'AS001' > client_site : 'AS002' > sockaddr_size : 0x00 (0) > sockaddr: struct nbt_sockaddr > sockaddr_family : 0x00000000 (0) > pdc_ip : (null) > remaining : DATA_BLOB length=0 > next_closest_site : NULL > nt_version : 0x00000005 (5) > 1: NETLOGON_NT_VERSION_1 > 0: NETLOGON_NT_VERSION_5 > 1: NETLOGON_NT_VERSION_5EX > 0: NETLOGON_NT_VERSION_5EX_WITH_IP > 0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE > 0: NETLOGON_NT_VERSION_AVOID_NT4EMUL > 0: NETLOGON_NT_VERSION_PDC > 0: NETLOGON_NT_VERSION_IP > 0: NETLOGON_NT_VERSION_LOCAL > 0: NETLOGON_NT_VERSION_GC > lmnt_token : 0xffff (65535) > lm20_token : 0xffff (65535) > finddcs: Found matching DC 192.168.5.158 with server_type=0x0001f1fc > [Tue Nov 21 13:10:42.740320 2017] [:error] [pid 26496] ipa: INFO: > [jsonserver_session] [email protected]: > group_add_member/1(u'ad_users_external', ipaexternalmember=(u'AD2\\\\Domain > Users',), version=u'2.228'): SUCCESS > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
