Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1127895
Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.
Description of problem: Having a working trust relationship against an AD domain I am able to establish a second trust relationship against a second AD domain. Both domains are no related and have different DNS zones. IdM does not manage its DNS zone. When I try to add an AD user to a external group I got the following error: "ITG\rhel3: trusted domain object not found" After following Alexander recommendations it seems that ipa doesn't handle the discovery of PDC well enough to fall over to a proper one. In the logs: the server iv4w0006.itg.net is not a primary domain controller. Due to this when we set forest trust information corresponding to IdM domain, it returns a failure, as specified in MS-LSAD 3.1.4.7.16, and AD side doesn't recognize name suffix route to primary DNS domain of IdM domain. As result, AD doesn't allow to issue cross-realm TGT to IdM principals. Version-Release number of selected component (if applicable): RHEL 7.0 with no updates. How reproducible: Steps to Reproduce: 1. Create trust 2. Add AD user to external group Actual results: AD users can not be added to external groups. Expected results: AD users have to be added to external groups.
We need to make sure we talk to DC with the right role (documentation).
As this is a AD trust stabilization fix which is now ready, I think it should also be part of 4.0.2.
master:
ipa-4-1:
ipa-4-0:
ipa-3-3:
Metadata Update from @mkosek: - Issue assigned to abbra - Issue set to the milestone: FreeIPA 4.0.2
Login to comment on this ticket.