Active directory FreeIPA Active Directory信任_Active Directory_Freeipa

Active directory FreeIPA Active Directory信任

active-directory

Active directory FreeIPA Active Directory信任,active-directory,freeipa,Active Directory,Freeipa,我使用官方软件在AD域和FreeIPA域之间建立了信任，但仍然存在一些奇怪的问题。第一个问题是： ipa trust-fetch-domains ourdomain.cz ipa: ERROR: error on server 'ipa04.ipadomain.local': Fetching domains from trusted forest failed. See details in the error_log 如果我检查信任状态，它看起来很好 ipa trust-find

我使用官方软件在AD域和FreeIPA域之间建立了信任，但仍然存在一些奇怪的问题。第一个问题是：

ipa trust-fetch-domains ourdomain.cz

ipa: ERROR: error on server 'ipa04.ipadomain.local': Fetching domains from trusted forest failed. See details in the error_log

如果我检查信任状态，它看起来很好

ipa trust-find 

1 trust matched

  Realm name: ourdomain.cz
  Domain NetBIOS name: ourdomain0
  Domain Security Identifier: S-1-5-21-33333333313-3333333333-3229069277
  Trust type: Non-transitive external trust to a domain in another Active Directory forest

Number of entries returned 1

但当我尝试向组中添加成员时，失败了

ipa group-add-member ourdomain_admins_ad --external 'ourdomain\Users'
    
 [member user]: 
 [member group]: 
 [member service]: 

  Group name: ourdomain_admins_ad
  Description: ourdomain.cz admins external map
  Member groups: ad_admins
  Failed members: 
    member user: 
    member group: ourdomain\Users: trusted domain object not found
    member service: 
Number of members added 0

我在原木上挖了几个小时，发现了一些奇怪的东西 /var/log/samba/log.winbindd:get\u trust\u type\u string:缺少域[ourdomain]的路由

获取kerberos票证是有效的

# kinit gelnar@ourdomain.cz

Password for user@ourdomain.cz: 

# klist

Ticket cache: KCM:0:37938
Default principal: user@ourdomain.CZ

Valid starting      Expires             Service principal
8.10.2020 16:09:03  9.10.2020 02:09:03  krbtgt/ourdomain.CZ@ourdomain.CZ
    renew until 9.10.2020 16:08:57

但看起来Samba并没有识别AD域

wbinfo --all-domains
BUILTIN
IPADOMAIN

在拥有来自我们域的票证时

# kvno -S host dc.ourdomain.cz

host/dc.ourdomain.cz@ourdomain.CZ: kvno = 43

# kinit admin

Password for admin@ipadomain.LOCAL: 

# kvno -S host ipa04.ipadomain.LOCAL

host/ipa04.ipadomain.local@ipadomain.LOCAL: kvno = 2

# kvno -S host dc.ourdomain.cz

kvno: Server krbtgt/ourdomain.CZ@ipadomain.LOCAL not found in Kerberos database while getting credentials for host/dc.ourdomain.cz@ourdomain.CZ

对IPDomain尝试此命令时出现了一个奇怪的问题

# kvno -S host ipa04.ipadomain.LOCAL

kvno: KDC has no support for encryption type while getting credentials for host/ipa04.ipadomain.local@ipadomain.LOCAL

从ipadomain获得kerberos票证时

# kvno -S host dc.ourdomain.cz

host/dc.ourdomain.cz@ourdomain.CZ: kvno = 43

# kinit admin

Password for admin@ipadomain.LOCAL: 

# kvno -S host ipa04.ipadomain.LOCAL

host/ipa04.ipadomain.local@ipadomain.LOCAL: kvno = 2

# kvno -S host dc.ourdomain.cz

kvno: Server krbtgt/ourdomain.CZ@ipadomain.LOCAL not found in Kerberos database while getting credentials for host/dc.ourdomain.cz@ourdomain.CZ

单向信任：IPA信任AD 信任广告 Linux操作系统：CentOS 8 Windows操作系统：WS 2008R2 ipa版本4.8.4

有什么问题吗

多谢各位