> On 20 Jul 2018, at 17:51, Rene Trippen via FreeIPA-users > <freeipa-users@lists.fedorahosted.org> wrote: > > Hi there, > > I´ve got a external trust established between the ipa server and a AD > domain (child of parent) > > ipa trust-add --type=ad subdomain.main.corp.com --external=true > Active Directory domain administrator: ipatrust0 > Active Directory domain administrator's password: > ------------------------------------------------------------------------- > Added Active Directory trust for realm "subdomain.main.corp.com" > ------------------------------------------------------------------------- > Realm name: subdomain.main.corp.com > Domain NetBIOS name: SUBDOMAIN > Domain Security Identifier: S-1-5-21-653292258-51847207-622671684 > Trust direction: Trusting forest > Trust type: Non-transitive external trust to a domain in another > Active Directory forest > Trust status: Established and verified > > But, when I try to get users or groups from the AD, nothing is returned > > getent passwd us...@subdomain.main.corp.com -> nothing > > wbinfo -n "SUBDOMAIN\user1" > failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND > Could not lookup name SUBDOMAIN\user1 > > wbinfo -m > BUILTIN > IPA > SUBDOMAIN > > ipa dns-update-system-records --dry-run > IIPA DNS records: > _kerberos-master._tcp.ipa.main.corp.com. 86400 IN SRV 0 100 88 > ipa1.ipa.main.corp.com. > _kerberos-master._udp.ipa.main.corp.com. 86400 IN SRV 0 100 88 > ipa1.ipa.main.corp.com. > _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ipa.main.corp.com. > 86400 IN SRV 0 100 88 ipa1.ipa.main.corp.com. > _kerberos._tcp.dc._msdcs.ipa.main.corp.com. 86400 IN SRV 0 100 88 > ipa1.ipa.main.corp.com. > _kerberos._tcp.ipa.main.corp.com. 86400 IN SRV 0 100 88 > ipa1.ipa.main.corp.com. > _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.ipa.main.corp.com. > 86400 IN SRV 0 100 88 ipa1.ipa.main.corp.com. > _kerberos._udp.dc._msdcs.ipa.main.corp.com. 86400 IN SRV 0 100 88 > ipa1.ipa.main.corp.com. > _kerberos._udp.ipa.main.corp.com. 86400 IN SRV 0 100 88 > ipa1.ipa.main.corp.com. > _kerberos.ipa.main.corp.com. 86400 IN TXT "IPA.MAIN.CORP.COM" > _kpasswd._tcp.ipa.main.corp.com. 86400 IN SRV 0 100 464 > ipa1.ipa.main.corp.com. > _kpasswd._udp.ipa.main.corp.com. 86400 IN SRV 0 100 464 > ipa1.ipa.main.corp.com. > _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ipa.main.corp.com. > 86400 IN SRV 0 100 389 ipa1.ipa.main.corp.com. > _ldap._tcp.dc._msdcs.ipa.main.corp.com. 86400 IN SRV 0 100 389 > ipa1.ipa.main.corp.com. > _ldap._tcp.ipa.main.corp.com. 86400 IN SRV 0 100 389 ipa1.ipa.main.corp.com. > _ntp._udp.ipa.main.corp.com. 86400 IN SRV 0 100 123 ipa1.ipa.main.corp.com. > ipa-ca.ipa.main.corp.com. 86400 IN A 10.1.17.123 > > The IPA server and the AD machines are in the same net, without > firewall segemenatation > The ADs are 2008R2 > The IPA Server is a CentOS (latest), got following ipa version installed: > > ipa-common-4.5.4-10.el7.centos.3.noarch > ipa-server-trust-ad-4.5.4-10.el7.centos.3.x86_64 > ipa-client-4.5.4-10.el7.centos.3.x86_64 > ipa-server-dns-4.5.4-10.el7.centos.3.noarch > ipa-server-common-4.5.4-10.el7.centos.3.noarch > ipa-client-common-4.5.4-10.el7.centos.3.noarch > ipa-server-4.5.4-10.el7.centos.3.x86_64 > > I can provide you tons of logs, but I don´t know where to start.
Logs from sssd on the ipa master are usually a good point to start, see https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html > > Best regards, > Rene > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/QF4JKRPVXMK6CW2KYFWNRFM7JDTBRDJ2/ _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/MKPAK6KVHCJIV5TBUJ2TM3HKUPP2DOSP/