On Fri, Apr 28, 2017 at 07:27:20PM +0200, Tiemen Ruiten wrote:
> Hello Alexander, list,
>
> I did get further by specifying --external=true in the ipa trust-add
> command, it works now for *both* the Windows and the Samba domain:
>
> ipa trust-add office.rdmedia.com --type=ad --admin Administrator --password
> --two-way=false --external=true
>
> IPA reports the trust is established successfully and I can also see it in
> Active Directory Domains and Trusts. However, adding users/groups to an
> external group fails:
>
> [root@ipa-ams-01 tiemen]# ipa group-add-member office_admins_external
> --external "OFFICE\domain admins"
> [member user]:
> [member group]:
> Group name: office_admins_external
> Description: office.rdmedia.com admins external map
> Failed members:
> member user:
> member group: *OFFICE\domain admins: trusted domain object not found*
> -------------------------
> Number of members added 0
> -------------------------
Domain Admins is a domain-local group typically. I would advise against
using those for cross-forest trust memberships in general.
Can you also check if you can resolve objects from the trusted AD/Samba
domain? Try:
getent passwd [email protected]
for example.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
