Re: [Freeipa-users] Trust is successful and getting error while creating groups.

Wed, 04 Mar 2015 23:08:39 -0800 

On Thu, 05 Mar 2015, Ben .T.George wrote:

Hi Alexander,

can you please give me clue what will be error message

"member group: KWTTESTDC\Domain Admins: invalid 'trusted domain object': no
trusted domain matched the specified flat name"

So what are the domains your IPA reports as trusted?

ipa trustdomain-find

Because you are talking about KWTTESTDC -- is this a domain's NetBIOS
name? It looks to me it is your AD DC's name, not the domain's.



Regards,
Ben

On Thu, Mar 5, 2015 at 9:35 AM, Ben .T.George <[email protected]> wrote:


HI

sorry ntp was stopped. now time is in sync. rebooted machine

buy process is not going through

*[root@kwtpocpbis01 ~]# ipa group-add-member ad_admins_external --external
'ad_netbios\Domain Admins'*
*[member user]:*
*[member group]:*
*  Group name: ad_admins_external*
*  Description: infra.com <http://infra.com> admins external map*
*  Failed members:*
*    member user:*
*    member group: ad_netbios\Domain Admins: invalid 'trusted domain
object': no trusted domain matched the specified flat name*
*-------------------------*
*Number of members added 0*

*-------------------------*
*[root@kwtpocpbis01 ~]# ipa group-add-member ad_admins_external --external
'ad_netbios\Domain Users'*
*[member user]:*
*[member group]:*
*  Group name: ad_admins_external*
*  Description: infra.com <http://infra.com> admins external map*
*  Failed members:*
*    member user:*
*    member group: ad_netbios\Domain Users: invalid 'trusted domain
object': no trusted domain matched the specified flat name*
*-------------------------*
*Number of members added 0*
*-------------------------*

And the error message on error_log is :

[Thu Mar 05 09:31:50.146154 2015] [:error] [pid 2101] ipa: INFO:
[jsonserver_kerb] [email protected]:
group_add_member(u'ad_admins_external',
ipaexternalmember=(u'ad_netbios\\\\Domain Admins',), all=False, raw=False,
version=u'2.113', no_members=False): SUCCESS

[Thu Mar 05 09:32:15.761885 2015] [:error] [pid 2101] ipa: INFO:
[jsonserver_kerb] [email protected]:
group_add_member(u'ad_admins_external',
ipaexternalmember=(u'ad_netbios\\\\Domain Users',), all=False, raw=False,
version=u'2.113', no_members=False): SUCCESS



On Thu, Mar 5, 2015 at 8:52 AM, Alexander Bokovoy <[email protected]>
wrote:


On Thu, 05 Mar 2015, Ben .T.George wrote:


Hi

i have re-installed everything . my current versions are Centos 7 with
IPA
4.1

i followed this tutorial:
http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup

when i fetch , it went successful:

*[root@kwtpocpbis01 ~]# ipa trustdomain-find "infra.com <
http://infra.com>"*
*  Domain name: infra.com <http://infra.com>*
*  Domain NetBIOS name: INFRA*
*  Domain Security Identifier: S-1-5-21-191287045-4012216658-3592112898*
*  Domain enabled: True*
*----------------------------*
*Number of entries returned 1*
*----------------------------*
*[root@kwtpocpbis01 ~]# ipa trustdomain-find "infra.com <
http://infra.com>"*
*  Domain name: infra.com <http://infra.com>*
*  Domain NetBIOS name: INFRA*
*  Domain Security Identifier: S-1-5-21-191287045-4012216658-3592112898*
*  Domain enabled: True*
*----------------------------*
*Number of entries returned 1*
*----------------------------*

when i gone through "Allow access for users from AD domain to protected
resources", i am getting errors,


*[root@kwtpocpbis01 ~]# ipa group-add --desc='infra.com <
http://infra.com>
users external map' ad_users_external --external*
*-------------------------------*
*Added group "ad_users_external"*
*-------------------------------*
*  Group name: ad_users_external*
*  Description: infra.com <http://infra.com> users external map*

*[root@kwtpocpbis01 ~]# ipa group-add --desc='infra.com <
http://infra.com>
users' ad_users*
*----------------------*
*Added group "ad_users"*
*----------------------*
*  Group name: ad_users*
*  Description: infra.com <http://infra.com> users*
*  GID: 643400005*

*[root@kwtpocpbis01 ~]# ipa group-add-member ad_users_external
--external
'INFRA\Domain Users'*
*[member user]:*
*[member group]:*
*  Group name: ad_users_external*
*  Description: infra.com <http://infra.com> users external map*
*  Failed members:*
*    member user:*
*    member group: INFRA\Domain Users: trusted domain object not found*
*-------------------------*
*Number of members added 0*
*-------------------------*

*[root@kwtpocpbis01 ~]# ipa group-add-member ad_users --groups
ad_users_external*
*  Group name: ad_users*
*  Description: infra.com <http://infra.com> users*
*  GID: 643400005*
*  Member groups: ad_users_external*
*-------------------------*
*Number of members added 1*
*-------------------------*

please help me to solve this issue:

below error is getting on httpd/error_log while trying : *ipa
group-add-member ad_users_external --external 'INFRA\Domain Users'*

*[Thu Mar 05 11:36:37.371594 2015] [:error] [pid 4090] ipa: WARNING:
Search
on AD DC kwtipaad001.infra.com:3268 <http://kwtipaad001.infra.com:3268>
failed with: Insufficient access: SASL(-1): generic failure: GSSAPI
Error:
Unspecified GSS failure.  Minor code may provide more information (Ticket
not yet valid)*
*[Thu Mar 05 11:36:37.374280 2015] [:error] [pid 4090] ipa: INFO:
[jsonserver_kerb] [email protected]:
group_add_member(u'ad_users_external', ipaexternalmember=(u'INFRA\\\\
Domain
Users',), all=False, raw=False, version=u'2.113', no_members=False):
SUCCESS*


OK, "Ticket not yet valid" is time synchronization issue -- AD DC has
time behind IPA DC. Check time and time zone settings.

--
/ Alexander Bokovoy






--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to