On Thu, Apr 13, 2017 at 04:49:59PM +0200, Tiemen Ruiten wrote: > Hello! > > As I understand from this > <https://www.redhat.com/archives/freeipa-users/2016-October/msg00147.html> > thread, > it should be possible to setup a trust between FreeIPA and Samba4. My AD > domain is clients.i.rdmedia.com, it's a subdomain of my FreeIPA domain, > i.rdmedia.com. Therefore I added a global forwarder on the Samba AD DC to > one of the FreeIPA replica's and lookup of SRV records in both domains > appears to work. > > However when I try to add the trust I get "ipa: ERROR an internal error has > occurred". I ran the trust-add command with full debug logging as described > on https://www.freeipa.org/page/Active_Directory_trust_setup#Debugging_trust, > so I can provide these logs privately upon request. > We do not yet support trusts to Samba 4 AD DC. It is an open ticket: https://pagure.io/freeipa/issue/4866
I do not think it is a priority at this time. Alexander (Cc) could possibly provide an update. Thanks, Fraser > I suspect some DNS-issue, as right after I try to setup the trust, dynamic > updates stop working on the AD Domain Controller with this error: > > tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor > code may provide more information, Minor = Server DNS/ > fluorine.clients.i.rdmedia....@i.rdmedia.com not found in Kerberos database. > Failed nsupdate: 1 > update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._ > sites.ForestDnsZones.clients.i.rdmedia.com fluorine.clients.i.rdmedia.com > 389 > Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._ > sites.ForestDnsZones.clients.i.rdmedia.com fluorine.clients.i.rdmedia.com > 389 (add) > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _ldap._tcp.Default-First-Site-Name._ > sites.ForestDnsZones.clients.i.rdmedia.com. 900 IN SRV 0 100 389 > fluorine.clients.i.rdmedia.com. > > Many thanks in advance for your assistance. > > > -- > Tiemen Ruiten > Systems Engineer > R&D Media > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project