I followed the directions from https://access.redhat.com/solutions/1354543 pretty much to the letter.
Everything was successful and seems to work well aside from the last step of trying to resolve an AD user with the ID command on an IPA client. [gould@mid-ipa-vp02 ~]$ id [email protected] id: [email protected]: no such user I enabled debugging in sssd. Here¹s what I saw in the lookup for ³id [email protected]². It looks like the AD is returning no match when the account exists. (Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=farus] (Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]] [ipa_idmap_check_posix_child] (0x0080): No forest available for domain [S-1-5-21-226267946-722566613-1883572810]. (Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]] [ipa_idmap_get_ranges_from_sysdb] (0x0040): ipa_idmap_check_posix_child failed. (Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not add new domain for sid [S-1-5-21-226267946-722566613-1883572810] (Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'test.osuwmc' (Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]] [be_resolve_server_process] (0x0200): Found address for server svr-addc-vt02.test.osuwmc: [10.80.5.240] TTL 3600 (Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [4] (Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'test.osuwmc' (Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]] [be_resolve_server_process] (0x0200): Found address for server svr-addc-vt02.test.osuwmc: [10.80.5.240] TTL 3600 (Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]] [child_sig_handler] (0x0100): child [4587] finished successfully. (Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: host/mid-ipa-vp01.unix.test.osuwmc (Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'svr-addc-vt02.test.osuwmc' as 'working' (Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]] [set_server_common_status] (0x0100): Marking server 'svr-addc-vt02.test.osuwmc' as 'working' (Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]] [sdap_get_users_done] (0x0040): Failed to retrieve users (Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]] [ipa_get_ad_acct_ad_part_done] (0x0080): Object not found, ending request (Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success The trust looks good. [gould@mid-ipa-vp01 ~]$ kinit admin Password for [email protected]: [gould@mid-ipa-vp01 ~]$ ipa trust-show Realm name: TEST.OSUWMC Realm name: test.osuwmc Domain NetBIOS name: TEST Domain Security Identifier: S-1-5-21-XXXXXXXXX-XXXXXXXXX-XXXXXXXXX Trust direction: Two-way trust Trust type: Active Directory domain [gould@mid-ipa-vp01 ~]$ Any idea why it can¹t find the match? Also, we¹re curious why it tries to resolve POSIX when we added the trust with --range-type=ipa-ad-trust and not --range-type=ipa-ad-trust-posix. Other question is how do you set or default to a one way trust when installing instead of a two way? We know how to modify the trust in IPA and AD, but are a bit leery since we¹re not sure what all might break or if we¹re modifying all that truly needs to be modified in IPA. Joshua -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
