We've setup a two-way trust with AD and it seems to have worked, but it
doesn't look like it is working correctly.
The kerberos commands (kinit and kvno) work fine, but things like 'id
aduser(a)addomain.example.com' and 'getent passwd aduser(a)addomain.example.com'
don't work.
# ipa trust-add --type ad
addomain.example.com --admin adadmin --password
--two-way=true
Active Directory domain administrator's password:
-----------------------------------------------------
Added Active Directory trust for realm "addomain.example.com"
-----------------------------------------------------
Realm name:
addomain.example.com
Domain NetBIOS name: ADDOMAIN
Domain Security Identifier: S-1-5-21-2229161606-873856335-779138662
Trust direction: Two-way trust
Trust type: Active Directory domain
Trust status: Established and verified
# kinit aduser(a)addomain.example.com
Password for aduser(a)addomain.example.com:
# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_o3D2R5S
Default principal: aduser(a)ADDOMAIN.EXAMPLE.COM
Valid starting Expires Service principal
07/20/2017 12:16:41 07/20/2017 22:16:41 krbtgt/
ADDOMAIN.EXAMPLE.COM(a)ADDOMAIN.EXAMPLE.COM
renew until 07/21/2017 12:16:38
# id aduser(a)addomain.example.com
id: ‘aduser(a)addomain.example.xn--com-to0a: no such user
Is this the best way to test the trust?
We are running FreeIPA 4.4 and Windows Server 2012 R2
When setting up the trust we needed to modify /etc/hosts as described in
https://bugzilla.redhat.com/show_bug.cgi?id=878168
Thanks,
Steve