Active directory FreeIPA Active Directory信任
我使用官方软件在AD域和FreeIPA域之间建立了信任,但仍然存在一些奇怪的问题。 第一个问题是:Active directory FreeIPA Active Directory信任,active-directory,freeipa,Active Directory,Freeipa,我使用官方软件在AD域和FreeIPA域之间建立了信任,但仍然存在一些奇怪的问题。 第一个问题是: ipa trust-fetch-domains ourdomain.cz ipa: ERROR: error on server 'ipa04.ipadomain.local': Fetching domains from trusted forest failed. See details in the error_log 如果我检查信任状态,它看起来很好 ipa trust-find
ipa trust-fetch-domains ourdomain.cz
ipa: ERROR: error on server 'ipa04.ipadomain.local': Fetching domains from trusted forest failed. See details in the error_log
如果我检查信任状态,它看起来很好
ipa trust-find
1 trust matched
Realm name: ourdomain.cz
Domain NetBIOS name: ourdomain0
Domain Security Identifier: S-1-5-21-33333333313-3333333333-3229069277
Trust type: Non-transitive external trust to a domain in another Active Directory forest
Number of entries returned 1
但当我尝试向组中添加成员时,失败了
ipa group-add-member ourdomain_admins_ad --external 'ourdomain\Users'
[member user]:
[member group]:
[member service]:
Group name: ourdomain_admins_ad
Description: ourdomain.cz admins external map
Member groups: ad_admins
Failed members:
member user:
member group: ourdomain\Users: trusted domain object not found
member service:
Number of members added 0
我在原木上挖了几个小时,发现了一些奇怪的东西
/var/log/samba/log.winbindd:get\u trust\u type\u string:缺少域[ourdomain]的路由
获取kerberos票证是有效的
# kinit gelnar@ourdomain.cz
Password for user@ourdomain.cz:
# klist
Ticket cache: KCM:0:37938
Default principal: user@ourdomain.CZ
Valid starting Expires Service principal
8.10.2020 16:09:03 9.10.2020 02:09:03 krbtgt/ourdomain.CZ@ourdomain.CZ
renew until 9.10.2020 16:08:57
但看起来Samba并没有识别AD域
wbinfo --all-domains
BUILTIN
IPADOMAIN
在拥有来自我们域的票证时
# kvno -S host dc.ourdomain.cz
host/dc.ourdomain.cz@ourdomain.CZ: kvno = 43
# kinit admin
Password for admin@ipadomain.LOCAL:
# kvno -S host ipa04.ipadomain.LOCAL
host/ipa04.ipadomain.local@ipadomain.LOCAL: kvno = 2
# kvno -S host dc.ourdomain.cz
kvno: Server krbtgt/ourdomain.CZ@ipadomain.LOCAL not found in Kerberos database while getting credentials for host/dc.ourdomain.cz@ourdomain.CZ
对IPDomain尝试此命令时出现了一个奇怪的问题
# kvno -S host ipa04.ipadomain.LOCAL
kvno: KDC has no support for encryption type while getting credentials for host/ipa04.ipadomain.local@ipadomain.LOCAL
从ipadomain获得kerberos票证时
# kvno -S host dc.ourdomain.cz
host/dc.ourdomain.cz@ourdomain.CZ: kvno = 43
# kinit admin
Password for admin@ipadomain.LOCAL:
# kvno -S host ipa04.ipadomain.LOCAL
host/ipa04.ipadomain.local@ipadomain.LOCAL: kvno = 2
# kvno -S host dc.ourdomain.cz
kvno: Server krbtgt/ourdomain.CZ@ipadomain.LOCAL not found in Kerberos database while getting credentials for host/dc.ourdomain.cz@ourdomain.CZ
单向信任:IPA信任AD
信任广告
Linux操作系统:CentOS 8
Windows操作系统:WS 2008R2
ipa版本4.8.4
有什么问题吗
多谢各位