Discussion:
[Freeipa-users] Error trying to use trusted AD objects: trusted domain object not found
Patrick Hemmer
2017-05-14 06:17:32 UTC
Permalink
I'm working on spinning up a FreeIPA server with an AD trust. I've
followed the official guide
(https://www.freeipa.org/page/Active_Directory_trust_setup), and
everything works up to the point of trying to add external members to
the group. Whenever I try I get:

# ipa group-add-member ad_admins_external --external 'CHEWY\Domain Admins'
[member user]:
[member group]:
Group name: ad_admins_external
Description: ad_domain admins external map
Failed members:
member user:
member group: CHEWY\Domain Admins: trusted domain object not found
-------------------------
Number of members added 0
-------------------------


I turned up the debugging to 100, re-established the trust, and tried to
perform the group-add-member again. Logs have uploaded the logs here:
https://s3.amazonaws.com/phemmer-misc/freeipa-logs.tar.gz
I'm just testing the procedure on a couple local development VMs, so
there's nothing sensitive in there.

Confusingly, according to the httpd log the operation was successful:
[Sun May 14 01:49:24.171867 2017] [:error] [pid 23688] ipa: INFO:
[jsonserver_session] ***@LOCAL:
group_add_member/1(u'ad_admins_external',
ipaexternalmember=(u'CHEWY\\\\Domain Admins',), version=u'2.213'): SUCCESS

I'm not sure where the issue here lies. So any insight would be appreciated.

This is with:
CentOS/7 7.3.1611
FreeIPA 4.4.0
AD is Windows Server 2008 R2

-Patrick
Alexander Bokovoy
2017-05-14 08:19:23 UTC
Permalink
Post by Patrick Hemmer
I'm working on spinning up a FreeIPA server with an AD trust. I've
followed the official guide
(https://www.freeipa.org/page/Active_Directory_trust_setup), and
everything works up to the point of trying to add external members to
# ipa group-add-member ad_admins_external --external 'CHEWY\Domain Admins'
Group name: ad_admins_external
Description: ad_domain admins external map
member group: CHEWY\Domain Admins: trusted domain object not found
-------------------------
Number of members added 0
-------------------------
I turned up the debugging to 100, re-established the trust, and tried to
https://s3.amazonaws.com/phemmer-misc/freeipa-logs.tar.gz
I'm just testing the procedure on a couple local development VMs, so
there's nothing sensitive in there.
group_add_member/1(u'ad_admins_external',
ipaexternalmember=(u'CHEWY\\\\Domain Admins',), version=u'2.213'): SUCCESS
I'm not sure where the issue here lies. So any insight would be appreciated.
The issue is in your choice of IPA domain name: local. This is not going
to work with AD -- as you can see, there are subtle issues. Even though
AD DC accepts a trust to LOCAL forest, it cannot really operate it
internally, thus even looking up forest topology fails at the point when
IPA framework attempts to authenticate. See [1] for list of limitations
in pure Active Directory for single-label domains.

[1] https://support.microsoft.com/en-us/help/300684/deployment-and-operation-of-active-directory-domains-that-are-configured-by-using-single-label-dns-names

We don't recommend using single-label DNS configurations. Even in a lab
environment they are source of various issues.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Patrick Hemmer
2017-05-14 23:09:11 UTC
Permalink
Post by Alexander Bokovoy
Post by Patrick Hemmer
I'm working on spinning up a FreeIPA server with an AD trust. I've
followed the official guide
(https://www.freeipa.org/page/Active_Directory_trust_setup), and
everything works up to the point of trying to add external members to
# ipa group-add-member ad_admins_external --external 'CHEWY\Domain Admins'
Group name: ad_admins_external
Description: ad_domain admins external map
member group: CHEWY\Domain Admins: trusted domain object not found
-------------------------
Number of members added 0
-------------------------
I turned up the debugging to 100, re-established the trust, and tried to
https://s3.amazonaws.com/phemmer-misc/freeipa-logs.tar.gz
I'm just testing the procedure on a couple local development VMs, so
there's nothing sensitive in there.
group_add_member/1(u'ad_admins_external',
ipaexternalmember=(u'CHEWY\\\\Domain Admins',), version=u'2.213'): SUCCESS
I'm not sure where the issue here lies. So any insight would be appreciated.
The issue is in your choice of IPA domain name: local. This is not going
to work with AD -- as you can see, there are subtle issues. Even though
AD DC accepts a trust to LOCAL forest, it cannot really operate it
internally, thus even looking up forest topology fails at the point when
IPA framework attempts to authenticate. See [1] for list of limitations
in pure Active Directory for single-label domains.
[1]
https://support.microsoft.com/en-us/help/300684/deployment-and-operation-of-active-directory-domains-that-are-configured-by-using-single-label-dns-names
We don't recommend using single-label DNS configurations. Even in a lab
environment they are source of various issues.
Thanks, switching to a second level domain did indeed solve the issue.

-Patrick

Loading...