#4479 trust-add should not be run with DCs without PDC role
Closed: Fixed None Opened 9 years ago by mkosek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1127895

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

Description of problem:

Having a working trust relationship against an AD domain I am able to establish
a second trust relationship against a second AD domain. Both domains are no
related and have different DNS zones. IdM does not manage its DNS zone.

When I try to add an AD user to a external group I got the following error:
"ITG\rhel3: trusted domain object not found"

After following Alexander recommendations it seems that ipa doesn't handle the
discovery of PDC well enough to fall over to a proper one.

In the logs: the server iv4w0006.itg.net is not a primary domain
controller. Due to this when we set forest trust information corresponding
to IdM domain, it returns a failure, as specified in MS-LSAD 3.1.4.7.16, and AD
side doesn't recognize name suffix route to primary DNS domain of IdM domain.
As result, AD doesn't allow to issue cross-realm TGT to IdM principals.


Version-Release number of selected component (if applicable):

RHEL 7.0 with no updates.


How reproducible:


Steps to Reproduce:
1. Create trust
2. Add AD user to external group

Actual results:

AD users can not be added to external groups.

Expected results:

AD users have to be added to external groups.

We need to make sure we talk to DC with the right role (documentation).

As this is a AD trust stabilization fix which is now ready, I think it should also be part of 4.0.2.

master:

  • 23e0bc4 ipaserver/dcerpc.py: make PDC discovery more robust

ipa-4-1:

  • 214c23b ipaserver/dcerpc.py: make PDC discovery more robust

ipa-4-0:

  • 5681043 ipaserver/dcerpc.py: make PDC discovery more robust

ipa-3-3:

  • b252cca ipaserver/dcerpc.py: make PDC discovery more robust

Metadata Update from @mkosek:
- Issue assigned to abbra
- Issue set to the milestone: FreeIPA 4.0.2

7 years ago

Login to comment on this ticket.

Metadata