On Mon, Jul 24, 2017 at 09:05:59AM -0400, Jason Beck wrote: > On Jul 24, 2017 4:14 AM, "Jakub Hrozek via FreeIPA-users" < > freeipa-users@lists.fedorahosted.org> wrote: > > > On Fri, Jul 21, 2017 at 03:43:58PM -0400, Jason Beck via FreeIPA-users > > wrote: > > > I have been trying to reliably get an AD trust setup for a few weeks and > > no > > > matter what I try, when I goto add AD users to an external group in > > > FreeIPA, I get: > > > > > > "trusted domain object not found" > > > > > > Googling around tends to always yield the same suggestions: > > > > > > 1) Check time sync > > > 2) Check DNS > > > 3) Check firewall > > > > > > I have done all of this ad nauseam in several different environments with > > > several different versions of FreeIPA and Windows servers. I have > > gotten a > > > setup to work maybe 2% of the time out of hundreds of attempts. > > > > > > I am currently using FreeIPA 4.5.2 on Fedora 25 (out of the COPR repo). > > I > > > am trying to establish trust with a mixed Windows 2012 & 2008 forest. I > > > have tried both one and two way trusts. Everything seems to work fine up > > > until I try to add AD users to FreeIPA. > > > > > > I have verified all of the requisite DNS records exist and return the > > > proper information on both sides, there are no firewalls between any of > > the > > > hosts, and the AD servers and FreeIPA servers are synchronized by the > > same > > > NTP servers. > > > > > > What could I possibly be missing? > > > > Can you resolve the object you're trying to add with sssd? > > > > e.g. id foo@windows.domain > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > > > No. I can login via Kerberos, kinit user@ad.domain. But neither id > user@ad.domain nor getent passwd user@ad.domain are successful.
Then please follow https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org