FreeIPA AD trust

I Setup FREEIPA based on the RHEL 8 IDM AD-Trust all the settings and went as planned. When I ran

ipa trust-add --type=ad --admin administrator --password --range-type=ipa-ad-trust --two-way=true

Active Directory domain administrator’s password:

ipa: ERROR: AD DC was unable to reach any IPA domain controller. Most likely it is a DNS or firewall issue

I can see the trust in the IDM web console and able to run kinit administrator@WIN.FOO.LAN and that works.

But getting a service ticket fails

kvno -S host
kvno: Ticket not yet valid while getting credentials for host/idm1.lnx.corp.lan@LNX.FOO.LAN

I removed the trust and tried again this time using the Web console and it worked. What I am not sure about is how to setup AD groups in IDM so AD users can login to Freeipa resources. Any help is appreciated.

I figured out the mapping.
ipa group-add --desc=‘ad_domain admins external map’ ad_test_external --external
ipa group-add --desc=‘ad_domain test’ ad_test
ipa group-add-member ad_admins_external --external ‘win\test’

How ever users in the test group are unable to login.

Here is what the logs show

Sep 16 11:19:09 idm1.lnx.lan login[20719]: pam_sss(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=testuser@win.lan
Sep 16 11:19:09 idm1.lnx.lan login[20719]: pam_sss(login:auth): received for user testuser@win.lan: 6 (Permission denied)
Sep 16 11:19:10 idm1.lnx.lan login[20719]: FAILED LOGIN SESSION FROM tty1 FOR testuser@win.corp.lan, Authentication failure
Sep 16 11:19:14 idm1.lnx.lan systemd[1]: getty@tty1.service: Succeeded.
Sep 16 11:19:14 idm1.lnx.lan systemd[1]: getty@tty1.service: Service has no hold-off time (RestartSec=0), scheduling restart.
Sep 16 11:19:14 idm1.lnx.lan systemd[1]: getty@tty1.service: Scheduled restart job, restart counter is at 10.
Sep 16 11:19:14 idm1.lnx.lan systemd[1]: Stopped Getty on tty1.

You need to make sure your AD domain can properly see the IPA domain through srv records and firewall ports that IPA usually has open. Even if the IPA console says the trust is there, it does not mean it is working. Resolve this first before troubleshooting further.

Once you’ve resolved the above and you still cannot login with users, you will need to put sssd into debug mode to dig into your issue further. Troubleshooting Basics -

1 Like

Appears on my Windows server is not working as expected. I disabled the firewall on my Windows server and Freeipa servers.
Non-existent domain

Not surprised, the dns record probably doesn’t exist, the PAC is too big for udp. See here:

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.