Hi Alexander, can you please give me clue what will be error message
"member group: KWTTESTDC\Domain Admins: invalid 'trusted domain object': no trusted domain matched the specified flat name" Regards, Ben On Thu, Mar 5, 2015 at 9:35 AM, Ben .T.George <[email protected]> wrote: > HI > > sorry ntp was stopped. now time is in sync. rebooted machine > > buy process is not going through > > *[root@kwtpocpbis01 ~]# ipa group-add-member ad_admins_external --external > 'ad_netbios\Domain Admins'* > *[member user]:* > *[member group]:* > * Group name: ad_admins_external* > * Description: infra.com <http://infra.com> admins external map* > * Failed members:* > * member user:* > * member group: ad_netbios\Domain Admins: invalid 'trusted domain > object': no trusted domain matched the specified flat name* > *-------------------------* > *Number of members added 0* > > *-------------------------* > *[root@kwtpocpbis01 ~]# ipa group-add-member ad_admins_external --external > 'ad_netbios\Domain Users'* > *[member user]:* > *[member group]:* > * Group name: ad_admins_external* > * Description: infra.com <http://infra.com> admins external map* > * Failed members:* > * member user:* > * member group: ad_netbios\Domain Users: invalid 'trusted domain > object': no trusted domain matched the specified flat name* > *-------------------------* > *Number of members added 0* > *-------------------------* > > And the error message on error_log is : > > [Thu Mar 05 09:31:50.146154 2015] [:error] [pid 2101] ipa: INFO: > [jsonserver_kerb] [email protected]: > group_add_member(u'ad_admins_external', > ipaexternalmember=(u'ad_netbios\\\\Domain Admins',), all=False, raw=False, > version=u'2.113', no_members=False): SUCCESS > > [Thu Mar 05 09:32:15.761885 2015] [:error] [pid 2101] ipa: INFO: > [jsonserver_kerb] [email protected]: > group_add_member(u'ad_admins_external', > ipaexternalmember=(u'ad_netbios\\\\Domain Users',), all=False, raw=False, > version=u'2.113', no_members=False): SUCCESS > > > > On Thu, Mar 5, 2015 at 8:52 AM, Alexander Bokovoy <[email protected]> > wrote: > >> On Thu, 05 Mar 2015, Ben .T.George wrote: >> >>> Hi >>> >>> i have re-installed everything . my current versions are Centos 7 with >>> IPA >>> 4.1 >>> >>> i followed this tutorial: >>> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup >>> >>> when i fetch , it went successful: >>> >>> *[root@kwtpocpbis01 ~]# ipa trustdomain-find "infra.com < >>> http://infra.com>"* >>> * Domain name: infra.com <http://infra.com>* >>> * Domain NetBIOS name: INFRA* >>> * Domain Security Identifier: S-1-5-21-191287045-4012216658-3592112898* >>> * Domain enabled: True* >>> *----------------------------* >>> *Number of entries returned 1* >>> *----------------------------* >>> *[root@kwtpocpbis01 ~]# ipa trustdomain-find "infra.com < >>> http://infra.com>"* >>> * Domain name: infra.com <http://infra.com>* >>> * Domain NetBIOS name: INFRA* >>> * Domain Security Identifier: S-1-5-21-191287045-4012216658-3592112898* >>> * Domain enabled: True* >>> *----------------------------* >>> *Number of entries returned 1* >>> *----------------------------* >>> >>> when i gone through "Allow access for users from AD domain to protected >>> resources", i am getting errors, >>> >>> >>> *[root@kwtpocpbis01 ~]# ipa group-add --desc='infra.com < >>> http://infra.com> >>> users external map' ad_users_external --external* >>> *-------------------------------* >>> *Added group "ad_users_external"* >>> *-------------------------------* >>> * Group name: ad_users_external* >>> * Description: infra.com <http://infra.com> users external map* >>> >>> *[root@kwtpocpbis01 ~]# ipa group-add --desc='infra.com < >>> http://infra.com> >>> users' ad_users* >>> *----------------------* >>> *Added group "ad_users"* >>> *----------------------* >>> * Group name: ad_users* >>> * Description: infra.com <http://infra.com> users* >>> * GID: 643400005* >>> >>> *[root@kwtpocpbis01 ~]# ipa group-add-member ad_users_external >>> --external >>> 'INFRA\Domain Users'* >>> *[member user]:* >>> *[member group]:* >>> * Group name: ad_users_external* >>> * Description: infra.com <http://infra.com> users external map* >>> * Failed members:* >>> * member user:* >>> * member group: INFRA\Domain Users: trusted domain object not found* >>> *-------------------------* >>> *Number of members added 0* >>> *-------------------------* >>> >>> *[root@kwtpocpbis01 ~]# ipa group-add-member ad_users --groups >>> ad_users_external* >>> * Group name: ad_users* >>> * Description: infra.com <http://infra.com> users* >>> * GID: 643400005* >>> * Member groups: ad_users_external* >>> *-------------------------* >>> *Number of members added 1* >>> *-------------------------* >>> >>> please help me to solve this issue: >>> >>> below error is getting on httpd/error_log while trying : *ipa >>> group-add-member ad_users_external --external 'INFRA\Domain Users'* >>> >>> *[Thu Mar 05 11:36:37.371594 2015] [:error] [pid 4090] ipa: WARNING: >>> Search >>> on AD DC kwtipaad001.infra.com:3268 <http://kwtipaad001.infra.com:3268> >>> failed with: Insufficient access: SASL(-1): generic failure: GSSAPI >>> Error: >>> Unspecified GSS failure. Minor code may provide more information (Ticket >>> not yet valid)* >>> *[Thu Mar 05 11:36:37.374280 2015] [:error] [pid 4090] ipa: INFO: >>> [jsonserver_kerb] [email protected]: >>> group_add_member(u'ad_users_external', ipaexternalmember=(u'INFRA\\\\ >>> Domain >>> Users',), all=False, raw=False, version=u'2.113', no_members=False): >>> SUCCESS* >>> >> OK, "Ticket not yet valid" is time synchronization issue -- AD DC has >> time behind IPA DC. Check time and time zone settings. >> >> -- >> / Alexander Bokovoy >> > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
