Freeipa and active directory integration

elabed · November 26, 2021, 7:59pm

hi guys i installed 2 freeipa servers one as master and the other is the replica let’s say with linux.example.com domain and tried to make one way trust i did install the ipa-server-trust-ad and made the forwarder zone to my AD server i disable the dnssec in my linux server so they can reach each other but everytime i tried the (ipa trust-ad --type=ad example.com --admin administrator ) i got this erro even though i now the password and the user are right

ipa: ERROR: CIFS server communication error: code “3221225473”, message “{Operation Failed} The requested operation was unsuccessful.” (both may be “None”)

nazunalika · November 27, 2021, 1:30am

I’ve seen this as a result of being in FIPS mode or changing the security policy. But FIPS mode should work. This is what I would check:

In your samba debug logs, see if you’re getting Failed to add dn: ... cn=trusts..., error: 50 (Insufficient access) - If you are getting this, check:

ipa service-show cifs/ipa01.idm.example.com@IDM.EXAMPLE.COM --all --raw and verify it has memberof attributes such as:

memberof: cn=adtrust agents, cn=sysaccounts,...
memberof: cn=ADTrust Agents,cn=privileges,cn=pbac,...
memberof: cn=System: Read system trust accounts,cn=permissions,cn=pbac,...

If you find that the above is not true, you will need to run ipa-adtrust-install on your IPA systems, which should recreate all the missing entries.

Topic		Replies	Views
FreeIPA AD trust Rocky Linux General	7	463	November 18, 2023
Rocky 8.9 Idm Server Problem Rocky Linux General	4	350	March 26, 2024
Use of IPA to control su access Rocky Linux General	3	413	August 25, 2023
How to get xrdp to work with ipa users Rocky Linux General	3	506	August 25, 2023
Install and configure FREEIPA client via ansible role Rocky Linux General	6	103	April 3, 2024

Freeipa and active directory integration

Related Topics