> On 20 Jul 2018, at 17:51, Rene Trippen via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
>
> Hi there,
>
> I´ve got a external trust established between the ipa server and a AD
> domain (child of parent)
>
> ipa trust-add --type=ad
subdomain.main.corp.com --external=true
> Active Directory domain administrator: ipatrust0
> Active Directory domain administrator's password:
> -------------------------------------------------------------------------
> Added Active Directory trust for realm "subdomain.main.corp.com"
> -------------------------------------------------------------------------
> Realm name:
subdomain.main.corp.com
> Domain NetBIOS name: SUBDOMAIN
> Domain Security Identifier: S-1-5-21-653292258-51847207-622671684
> Trust direction: Trusting forest
> Trust type: Non-transitive external trust to a domain in another
> Active Directory forest
> Trust status: Established and verified
>
> But, when I try to get users or groups from the AD, nothing is returned
>
> getent passwd user1(a)subdomain.main.corp.com -> nothing
>
> wbinfo -n "SUBDOMAIN\user1"
> failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
> Could not lookup name SUBDOMAIN\user1
>
> wbinfo -m
> BUILTIN
> IPA
> SUBDOMAIN
>
> ipa dns-update-system-records --dry-run
> IIPA DNS records:
>
_kerberos-master._tcp.ipa.main.corp.com. 86400 IN SRV 0 100 88
>
ipa1.ipa.main.corp.com.
>
_kerberos-master._udp.ipa.main.corp.com. 86400 IN SRV 0 100 88
>
ipa1.ipa.main.corp.com.
>
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ipa.main.corp.com.
> 86400 IN SRV 0 100 88
ipa1.ipa.main.corp.com.
>
_kerberos._tcp.dc._msdcs.ipa.main.corp.com. 86400 IN SRV 0 100 88
>
ipa1.ipa.main.corp.com.
>
_kerberos._tcp.ipa.main.corp.com. 86400 IN SRV 0 100 88
>
ipa1.ipa.main.corp.com.
>
_kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.ipa.main.corp.com.
> 86400 IN SRV 0 100 88
ipa1.ipa.main.corp.com.
>
_kerberos._udp.dc._msdcs.ipa.main.corp.com. 86400 IN SRV 0 100 88
>
ipa1.ipa.main.corp.com.
>
_kerberos._udp.ipa.main.corp.com. 86400 IN SRV 0 100 88
>
ipa1.ipa.main.corp.com.
>
_kerberos.ipa.main.corp.com. 86400 IN TXT "IPA.MAIN.CORP.COM"
>
_kpasswd._tcp.ipa.main.corp.com. 86400 IN SRV 0 100 464
>
ipa1.ipa.main.corp.com.
>
_kpasswd._udp.ipa.main.corp.com. 86400 IN SRV 0 100 464
>
ipa1.ipa.main.corp.com.
>
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ipa.main.corp.com.
> 86400 IN SRV 0 100 389
ipa1.ipa.main.corp.com.
>
_ldap._tcp.dc._msdcs.ipa.main.corp.com. 86400 IN SRV 0 100 389
>
ipa1.ipa.main.corp.com.
>
_ldap._tcp.ipa.main.corp.com. 86400 IN SRV 0 100 389
ipa1.ipa.main.corp.com.
>
_ntp._udp.ipa.main.corp.com. 86400 IN SRV 0 100 123
ipa1.ipa.main.corp.com.
>
ipa-ca.ipa.main.corp.com. 86400 IN A 10.1.17.123
>
> The IPA server and the AD machines are in the same net, without
> firewall segemenatation
> The ADs are 2008R2
> The IPA Server is a CentOS (latest), got following ipa version installed:
>
> ipa-common-4.5.4-10.el7.centos.3.noarch
> ipa-server-trust-ad-4.5.4-10.el7.centos.3.x86_64
> ipa-client-4.5.4-10.el7.centos.3.x86_64
> ipa-server-dns-4.5.4-10.el7.centos.3.noarch
> ipa-server-common-4.5.4-10.el7.centos.3.noarch
> ipa-client-common-4.5.4-10.el7.centos.3.noarch
> ipa-server-4.5.4-10.el7.centos.3.x86_64
>
> I can provide you tons of logs, but I don´t know where to start.
Logs from sssd on the ipa master are usually a good point to start, see
https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
Thank you, that helped me understanding some things better, but
unfortunately, doesn´t help with my problem :/
>
> Best regards,
> Rene
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...