HI i ran some commands from AD side and the Trust status got changed.Below is the command i used on AD
netdom trust <TrustingDomainName> /d:<TrustedDomainName> /verify Before it was : "waiting for confirmation by remote side" and not it got changed to "Trust type: Active Directory domain" But when i am trying to map AD group, it not going through root@zkwipamstr01 ~]# ipa group-add-member ad_admins_external --external 'MTC_TABS\Domain Users' [member user]: [member group]: Group name: ad_admins_external Description: ad_domain admins external map Failed members: member user: *member group: MTC_TABS\Domain Users: trusted domain object not found * ------------------------- Number of members added 0 ------------------------- This is what my trust properties from AD. Trust type is showing as realm [image: Inline image 1] How can i fix this issue. On Thu, May 26, 2016 at 10:32 PM, Ben .T.George <bentech4...@gmail.com> wrote: > Hi All > > i have given share key and the status is like below. > > > [root@zkwipamstr01 ~]# ipa trust-add --type=ad "corp.example.com.kw" > --trust-secret > Shared secret for the trust: > -------------------------------------------------------- > Added Active Directory trust for realm "corp.example.com.kw" > -------------------------------------------------------- > Realm name: corp.example.com.kw > Domain NetBIOS name: MTC_TABS > Domain Security Identifier: S-1-5-21-4225188509-189646935-2695072313 > SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, > S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, > S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, > S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18 > SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, > S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, > S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, > S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18 > Trust direction: Trusting forest > Trust type: Active Directory domain > Trust status: Waiting for confirmation by remote side > > > what is this means "Waiting for confirmation by remote side" . how can i > check that. from my AD side, i cannot see the screens shown in that > gif(tutorial) > > Please anyone help me. > > > Thanks & Regards, > Ben > > On Thu, May 26, 2016 at 7:58 PM, Michael ORourke <mrorou...@earthlink.net> > wrote: > >> That looks good. I see you are using an external DNS source for the IPA >> domain, correct? You may need to do some additional steps on the FreeIPA >> server, because by default it will configure BIND and populate resource >> records for the IPA domain (for example, SRV records like _ldap_._ >> tcp.kw.example.com). I'm not familiar with setting up FreeIPA with an >> external DNS, but I'm sure there are some instructions out there. >> >> -Mike >> >> -----Original Message----- >> From: "Ben .T.George" >> Sent: May 23, 2016 2:22 PM >> To: Michael ORourke >> Cc: freeipa-users >> Subject: Re: [Freeipa-users] What id my AD domain user password not >> available >> >> HI >> >> in my case i have 2 domains >> >> AD DNS : corp.example.kw.com >> main DNS ( from appliance) : kw.example.com >> >> and all the linux box are pointed to kw.example.com >> >> so i put my IPA server hostname as : ipa.kw.example.com and created A & >> PTR on kw.example.com >> >> is that the correct way? >> >> Regards, >> Ben >> >> On Mon, May 23, 2016 at 8:20 PM, Michael ORourke <mrorou...@earthlink.net >> > wrote: >> >>> Ben, >>> >>> Yes, that is a requirement. Just creating the A & PTR records for you >>> FreeIPA server is not enough. You will need to keep the DNS zones separate >>> too, example: >>> Windows AD Domain: mydomain.com >>> FreeIPA Realm/Domain: subdomain.mydomain.com >>> >>> You cannot have a cross-forest trust between two domains with the same >>> DNS zone name. So if you have a flat DNS namespace, then you will want to >>> plan accordingly to move all the linux boxes that will participate in the >>> FreeIPA domain into the new DNS zone. >>> >>> -Mike >>> >>> -----Original Message----- >>> From: "Ben .T.George" >>> Sent: May 23, 2016 10:44 AM >>> To: Michael ORourke >>> Cc: freeipa-users >>> Subject: Re: [Freeipa-users] What id my AD domain user password not >>> available >>> >>> HI >>> >>> yea that GIf screen i shared with him. but that doesn't show how to take >>> shared key. >>> >>> In my case DNS is handled by 3rd party appliances and from their side >>> they created A record for my IPA server. bth forward and reverse is working >>> >>> is this forwader is mandatory thing from DNS side? >>> >>> Regards, >>> ben >>> >>> On Mon, May 23, 2016 at 5:31 PM, Michael ORourke < >>> mrorou...@earthlink.net> wrote: >>> >>>> Actually one of his questions doesn't make sense, because last I >>>> checked, normal domain users do not have permissions to create a forest >>>> trust. >>>> I believe the default is a one-way trust, so maybe his concerns about >>>> the bi-directional trust is really a non-issue. >>>> If he refuses to type in the admin password in a linux console session >>>> (extreme paranoia?), then perhaps you could give him a link to the tutorial >>>> on using a pre-shared key and have him setup the AD side and give you the >>>> key. You don't have to be a Windows expert to do this, just ask your >>>> domain admin to do the steps for you. Also, you will need to setup a >>>> separate DNS zone and some forwarding rules. Otherwise you are going to >>>> have problems. >>>> >>>> -Mike >>>> >>>> >>>> -----Original Message----- >>>> From: "Ben .T.George" >>>> Sent: May 23, 2016 10:07 AM >>>> To: Michael ORourke >>>> Cc: freeipa-users >>>> Subject: Re: [Freeipa-users] What id my AD domain user password not >>>> available >>>> >>>> HI >>>> >>>> He is local only but he is asking so many questions. >>>> >>>> first of all he is refusing to give domain admin users password . >>>> >>>> questions he is asking is: >>>> >>>> Is this trust relationship is two directional? If, yes why IPA require >>>> two directional trust? >>>> can we build this trust one directional? >>>> can we achieve this with normal domain user? >>>> >>>> and hs is opposing to enter password in command line and i was going >>>> though the rust using a pre-shared key and its too hard for me to >>>> understand as i have no windows experience >>>> >>>> regards, >>>> Ben >>>> >>>> On Mon, May 23, 2016 at 4:22 PM, Michael ORourke < >>>> mrorou...@earthlink.net> wrote: >>>> >>>>> A couple of ways to go about this. If he is local to you, you could >>>>> explain that you need to establish a trust with his domain and you need >>>>> his >>>>> assistance for a few minutes while you type the command to join, then have >>>>> him type in the password. You need to assure that the DNS forward/stub >>>>> zones are setup and working too. If he is remote, you could use some >>>>> screen share software and share out your desktop and walk him through the >>>>> part where he has to type the admin password. There is also a way to >>>>> create a trust using a pre-shared key. That may be more acceptable to >>>>> him. >>>>> >>>>> -Mike >>>>> >>>>> >>>>> -----Original Message----- >>>>> From: "Ben .T.George" >>>>> Sent: May 23, 2016 8:42 AM >>>>> To: freeipa-users >>>>> Subject: [Freeipa-users] What id my AD domain user password not >>>>> available >>>>> >>>>> Hi LIst, >>>>> >>>>> my Windows domain Admin is not giving domain admin user password. >>>>> >>>>> in this case how can i proceed ipa trust-add >>>>> >>>>> regards, >>>>> Ben >>>>> >>>>> >>>>> -- >>>>> Manage your subscription for the Freeipa-users mailing list: >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> Go to http://freeipa.org for more info on the project >>>>> >>>> >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>>> >>> >>> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project