Hi. Is possible create trust between FreeIPA (v. 4.9.6) and Samba AD DC (v. 4.13.5)?
I'm tried create trust via this command: ipa -d -v trust-add --type ad --two-way=true ad.idp.t.dom --admin Administrator --password
(same command working correctly with Microsoft AD, but i need with Samba AD DC)
but allways I'm getting this error: ipa: ERROR: an internal error has occurred
Is it even possible to create trust between them? What do I need to do?
Thanks
On la, 16 loka 2021, Jakub Novak via FreeIPA-users wrote:
Hi. Is possible create trust between FreeIPA (v. 4.9.6) and Samba AD DC (v. 4.13.5)?
I'm tried create trust via this command: ipa -d -v trust-add --type ad --two-way=true ad.idp.t.dom --admin Administrator --password
(same command working correctly with Microsoft AD, but i need with Samba AD DC)
but allways I'm getting this error: ipa: ERROR: an internal error has occurred
Is it even possible to create trust between them? What do I need to do?
Trust between the two should be working. Things to check:
- FreeIPA running on RHEL/CentOS/Fedora and linked with MIT Kerberos. I assume this part is OK because it works with Microsoft AD in your case
- both IPA and Samba AD using the same ciphers. In Fedora 33+/RHEL 8.3+ we disabled RC4-HMAC by default while Samba AD currently has a bug that prefers RC4-HMAC[1] which was only fixed this week. Enabling AD-SUPPORT crypto sub-policy one might make RC4-HMAC working again on IPA side.
In any way, please provide (off list) server debug logs of your attempt to establish the trust. I don't need output of your 'ipa' command above. Instead, httpd's error_log and samba logs are needed as outlined in [2]
[1] https://bugzilla.samba.org/show_bug.cgi?id=14864 [2] https://www.freeipa.org/page/Active_Directory_trust_setup#Debugging_trust
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Jakub Novak