On Jul 24, 2017 4:14 AM, "Jakub Hrozek via FreeIPA-users" < freeipa-users@lists.fedorahosted.org> wrote:
> On Fri, Jul 21, 2017 at 03:43:58PM -0400, Jason Beck via FreeIPA-users > wrote: > > I have been trying to reliably get an AD trust setup for a few weeks and > no > > matter what I try, when I goto add AD users to an external group in > > FreeIPA, I get: > > > > "trusted domain object not found" > > > > Googling around tends to always yield the same suggestions: > > > > 1) Check time sync > > 2) Check DNS > > 3) Check firewall > > > > I have done all of this ad nauseam in several different environments with > > several different versions of FreeIPA and Windows servers. I have > gotten a > > setup to work maybe 2% of the time out of hundreds of attempts. > > > > I am currently using FreeIPA 4.5.2 on Fedora 25 (out of the COPR repo). > I > > am trying to establish trust with a mixed Windows 2012 & 2008 forest. I > > have tried both one and two way trusts. Everything seems to work fine up > > until I try to add AD users to FreeIPA. > > > > I have verified all of the requisite DNS records exist and return the > > proper information on both sides, there are no firewalls between any of > the > > hosts, and the AD servers and FreeIPA servers are synchronized by the > same > > NTP servers. > > > > What could I possibly be missing? > > Can you resolve the object you're trying to add with sssd? > > e.g. id foo@windows.domain > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org No. I can login via Kerberos, kinit user@ad.domain. But neither id user@ad.domain nor getent passwd user@ad.domain are successful.
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org