On ma, 22 heinä 2019, Andrew Meyer via FreeIPA-users wrote:
Hello,
I am working on setting up FreeIPA with AD integration and seem to be
running into an issue. Its possible that I am also doing something wrong.
I am setting it up to talk to MS Windows Server 2012r2. Following
directions
on https://www.freeipa.org/page/Active_Directory_trust_setup
I have not edited the /etc/krb5.conf ( I figured that needed to happen on
the client machines.)
Please
use official documentation instead. The page above was written
quite a few years ago by test engineers to help themselves to get
through various test scenarios. You are better to use
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
I am actually at this step:
https://www.freeipa.org/page/Active_Directory_trust_setup#Create_external...
I am getting the following error:
[andrew.meyer@freeipa01 ~]$ sudo ipa group-add-member ad_admins_external
--external 'MEYER-AD\Domain Admins'
[member user]:
[member group]:
Group name: ad_admins_external
Description: ad.meyer.local admins external map
External member: S-1-5-21-2117027177-2554619188-4034396183-512,
S-1-5-21-2117027177-2554619188-4034396183-1106
Member users: andrew.meyer
Member groups: ad_admins
Member of groups: ad_admins, ipausers
Indirect Member groups: ad_admins_external
Failed members:
member user:
member group: MEYER-AD\Domain Admins: invalid 'trusted domain object':
no trusted domain matched the specified flat name
This particular error message tells that there is no a trust to AD with
'MEYER-AD' as its NetBIOS name.
It might be that the trust wasn't established successfully, thus it is
not possible to use it to resolve users.
Start with 'ipa trust-find' output.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland