On ti, 09 maalis 2021, iulian roman via FreeIPA-users wrote:
Thank you for clarifications Alexander.
OS version: Ubuntu 18.04.2 LTS
samba version : Version 4.7.6-Ubuntu
FreeIPA version: 4.7.4
If I understand correctly does not make any sense to continue
troubleshooting as long as AD trust is not supported with this OS
version. I'll try to see what are the OS alternatives I can use and
which do properly support FreeIPA.
Han Boetes (Han on #freeipa) did build Samba against MIT Keberos some
time ago to experiment with a similar stuff but he runs IPA DC on Fedora
and only needs Samba domain members on Ubuntu:
https://launchpad.net/~hboetes/+archive/ubuntu/samba-mit-kerberos
I do not really recommend running IPA DCs on Ubuntu/Debian at the moment
if you need trust to Active Directory. This mode is not tested by anyone
in FreeIPA upstream development team and bugs reported would not be
fixed.
Since this year, if you need RHEL, you can run RHEL in production as a
part of the RHEL Developer program as well. It has some limitations
(only 16 instances of RHEL machines can be done by a single RHEL
Developer account and it is all self-support unless you buy additional
support on top of it) but it is a viable option.
On the other hand, Fedora gives you another option, including up to date
FreeIPA versions.
Interesting is that while running the ipa trust-add command, there
is
no communication with the AD domain controller in tcpdump, so probably
it is stopped even before contacting the DC due to incompatibility.
Correct.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland