Freeipa and active directory integration

hi guys i installed 2 freeipa servers one as master and the other is the replica let’s say with domain and tried to make one way trust i did install the ipa-server-trust-ad and made the forwarder zone to my AD server i disable the dnssec in my linux server so they can reach each other but everytime i tried the (ipa trust-ad --type=ad --admin administrator ) i got this erro even though i now the password and the user are right

ipa: ERROR: CIFS server communication error: code “3221225473”, message “{Operation Failed} The requested operation was unsuccessful.” (both may be “None”)

I’ve seen this as a result of being in FIPS mode or changing the security policy. But FIPS mode should work. This is what I would check:

In your samba debug logs, see if you’re getting Failed to add dn: ... cn=trusts..., error: 50 (Insufficient access) - If you are getting this, check:

ipa service-show cifs/ --all --raw and verify it has memberof attributes such as:

memberof: cn=adtrust agents, cn=sysaccounts,...
memberof: cn=ADTrust Agents,cn=privileges,cn=pbac,...
memberof: cn=System: Read system trust accounts,cn=permissions,cn=pbac,...

If you find that the above is not true, you will need to run ipa-adtrust-install on your IPA systems, which should recreate all the missing entries.

1 Like