HI Alex Oops sorry.
actually i have 2 servers which hostname looks like same kwtpocpbis01 and kwtpocpbis02 i was trying on wrong server. now it's working on actual server: *[root@kwtpocpbis01 ~]# ipa group-add-member ad_admins_external --external 'INFRA\Domain Admins'* *[member user]:* *[member group]:* * Group name: ad_admins_external* * Description: infra.com <http://infra.com> admins external map* * External member: S-1-5-21-191287045-4012216658-3592112898-512* *-------------------------* *Number of members added 1* *-------------------------* *[root@kwtpocpbis01 ~]# ipa group-add-member ad_admins_external --external 'INFRA\Domain Users'* *[member user]:* *[member group]:* * Group name: ad_admins_external* * Description: infra.com <http://infra.com> admins external map* * External member: S-1-5-21-191287045-4012216658-3592112898-512, S-1-5-21-191287045-4012216658-3592112898-513* *-------------------------* *Number of members added 1* how can i fetch AD user on command line on IPA server to check the communication? Regards Ben On Thu, Mar 5, 2015 at 10:05 AM, Alexander Bokovoy <[email protected]> wrote: > On Thu, 05 Mar 2015, Ben .T.George wrote: > >> Hi Alexander, >> >> can you please give me clue what will be error message >> >> "member group: KWTTESTDC\Domain Admins: invalid 'trusted domain object': >> no >> trusted domain matched the specified flat name" >> > So what are the domains your IPA reports as trusted? > > ipa trustdomain-find > > Because you are talking about KWTTESTDC -- is this a domain's NetBIOS > name? It looks to me it is your AD DC's name, not the domain's. > > >> Regards, >> Ben >> >> On Thu, Mar 5, 2015 at 9:35 AM, Ben .T.George <[email protected]> >> wrote: >> >> HI >>> >>> sorry ntp was stopped. now time is in sync. rebooted machine >>> >>> buy process is not going through >>> >>> *[root@kwtpocpbis01 ~]# ipa group-add-member ad_admins_external >>> --external >>> 'ad_netbios\Domain Admins'* >>> *[member user]:* >>> *[member group]:* >>> * Group name: ad_admins_external* >>> * Description: infra.com <http://infra.com> admins external map* >>> * Failed members:* >>> * member user:* >>> * member group: ad_netbios\Domain Admins: invalid 'trusted domain >>> object': no trusted domain matched the specified flat name* >>> *-------------------------* >>> *Number of members added 0* >>> >>> *-------------------------* >>> *[root@kwtpocpbis01 ~]# ipa group-add-member ad_admins_external >>> --external >>> 'ad_netbios\Domain Users'* >>> *[member user]:* >>> *[member group]:* >>> * Group name: ad_admins_external* >>> * Description: infra.com <http://infra.com> admins external map* >>> * Failed members:* >>> * member user:* >>> * member group: ad_netbios\Domain Users: invalid 'trusted domain >>> object': no trusted domain matched the specified flat name* >>> >>> *-------------------------* >>> *Number of members added 0* >>> *-------------------------* >>> >>> And the error message on error_log is : >>> >>> [Thu Mar 05 09:31:50.146154 2015] [:error] [pid 2101] ipa: INFO: >>> [jsonserver_kerb] [email protected]: >>> group_add_member(u'ad_admins_external', >>> ipaexternalmember=(u'ad_netbios\\\\Domain Admins',), all=False, >>> raw=False, >>> version=u'2.113', no_members=False): SUCCESS >>> >>> [Thu Mar 05 09:32:15.761885 2015] [:error] [pid 2101] ipa: INFO: >>> [jsonserver_kerb] [email protected]: >>> group_add_member(u'ad_admins_external', >>> ipaexternalmember=(u'ad_netbios\\\\Domain Users',), all=False, >>> raw=False, >>> version=u'2.113', no_members=False): SUCCESS >>> >>> >>> >>> On Thu, Mar 5, 2015 at 8:52 AM, Alexander Bokovoy <[email protected]> >>> wrote: >>> >>> On Thu, 05 Mar 2015, Ben .T.George wrote: >>>> >>>> Hi >>>>> >>>>> i have re-installed everything . my current versions are Centos 7 with >>>>> IPA >>>>> 4.1 >>>>> >>>>> i followed this tutorial: >>>>> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup >>>>> >>>>> when i fetch , it went successful: >>>>> >>>>> *[root@kwtpocpbis01 ~]# ipa trustdomain-find "infra.com < >>>>> http://infra.com>"* >>>>> * Domain name: infra.com <http://infra.com>* >>>>> * Domain NetBIOS name: INFRA* >>>>> * Domain Security Identifier: S-1-5-21-191287045-4012216658- >>>>> 3592112898* >>>>> * Domain enabled: True* >>>>> *----------------------------* >>>>> *Number of entries returned 1* >>>>> *----------------------------* >>>>> *[root@kwtpocpbis01 ~]# ipa trustdomain-find "infra.com < >>>>> http://infra.com>"* >>>>> * Domain name: infra.com <http://infra.com>* >>>>> * Domain NetBIOS name: INFRA* >>>>> * Domain Security Identifier: S-1-5-21-191287045-4012216658- >>>>> 3592112898* >>>>> * Domain enabled: True* >>>>> *----------------------------* >>>>> *Number of entries returned 1* >>>>> *----------------------------* >>>>> >>>>> when i gone through "Allow access for users from AD domain to protected >>>>> resources", i am getting errors, >>>>> >>>>> >>>>> *[root@kwtpocpbis01 ~]# ipa group-add --desc='infra.com < >>>>> http://infra.com> >>>>> users external map' ad_users_external --external* >>>>> *-------------------------------* >>>>> *Added group "ad_users_external"* >>>>> *-------------------------------* >>>>> * Group name: ad_users_external* >>>>> * Description: infra.com <http://infra.com> users external map* >>>>> >>>>> *[root@kwtpocpbis01 ~]# ipa group-add --desc='infra.com < >>>>> http://infra.com> >>>>> users' ad_users* >>>>> *----------------------* >>>>> *Added group "ad_users"* >>>>> *----------------------* >>>>> * Group name: ad_users* >>>>> * Description: infra.com <http://infra.com> users* >>>>> * GID: 643400005* >>>>> >>>>> *[root@kwtpocpbis01 ~]# ipa group-add-member ad_users_external >>>>> --external >>>>> 'INFRA\Domain Users'* >>>>> *[member user]:* >>>>> *[member group]:* >>>>> * Group name: ad_users_external* >>>>> * Description: infra.com <http://infra.com> users external map* >>>>> * Failed members:* >>>>> * member user:* >>>>> * member group: INFRA\Domain Users: trusted domain object not found* >>>>> *-------------------------* >>>>> *Number of members added 0* >>>>> *-------------------------* >>>>> >>>>> *[root@kwtpocpbis01 ~]# ipa group-add-member ad_users --groups >>>>> ad_users_external* >>>>> * Group name: ad_users* >>>>> * Description: infra.com <http://infra.com> users* >>>>> * GID: 643400005* >>>>> * Member groups: ad_users_external* >>>>> *-------------------------* >>>>> *Number of members added 1* >>>>> *-------------------------* >>>>> >>>>> please help me to solve this issue: >>>>> >>>>> below error is getting on httpd/error_log while trying : *ipa >>>>> group-add-member ad_users_external --external 'INFRA\Domain Users'* >>>>> >>>>> *[Thu Mar 05 11:36:37.371594 2015] [:error] [pid 4090] ipa: WARNING: >>>>> Search >>>>> on AD DC kwtipaad001.infra.com:3268 <http://kwtipaad001.infra.com:3268 >>>>> > >>>>> failed with: Insufficient access: SASL(-1): generic failure: GSSAPI >>>>> Error: >>>>> Unspecified GSS failure. Minor code may provide more information >>>>> (Ticket >>>>> not yet valid)* >>>>> *[Thu Mar 05 11:36:37.374280 2015] [:error] [pid 4090] ipa: INFO: >>>>> [jsonserver_kerb] [email protected]: >>>>> group_add_member(u'ad_users_external', ipaexternalmember=(u'INFRA\\\\ >>>>> Domain >>>>> Users',), all=False, raw=False, version=u'2.113', no_members=False): >>>>> SUCCESS* >>>>> >>>>> OK, "Ticket not yet valid" is time synchronization issue -- AD DC has >>>> time behind IPA DC. Check time and time zone settings. >>>> >>>> -- >>>> / Alexander Bokovoy >>>> >>>> >>> >>> > -- > / Alexander Bokovoy >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
