1

When I am trying to add trust from FreeIPA to Active Directory I am getting an "Access denied" error:

[root@ipa centos]# ipa trust-add --type=ad test.XXXXX.com --admin Admin -- 
password
Active Directory domain administrator's password:

ipa: ERROR: CIFS server communication error: code "3221225506", message "{Access Denied} A process has requested access to an object but has not been granted those access rights." (both may be "None")

My Active Directory is an AWS Managed AD and admin is the default user for AWS managed AD.

I think Admin user does not have permission for AD trust.

But I tried to give administrator privileges in AD for admin user but it says "Insufficient Privileges".

I am stuck. Can anyone help me out?

Thanks

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
rahul
  • 59
  • 9

1 Answers1

1

AWS AD does not allow to establish trust the way how FreeIPA implements it. AWS AD expects you are using a shared secret on both sides of the trust and then validates it from AWS AD side. This is currently not working for a released version of FreeIPA.

The fix is in FreeIPA upstream already but it will take some time to be released and trickle down to distributions.

abbra
  • 852
  • 5
  • 6
  • Thanks for the reply. Does that mean I cannot establish trust between FreeIPA and AWS Managed AD now? I am using FreeIPA 4.6.4 version. I am able to establish trust between FreeIPA and AWS Simple AD. But Kerberos Principals are not getting created for my Users in Active Directory – rahul Apr 18 '19 at 09:21
  • Not yet. Simple AD is Samba AD on AWS side and you also need fixes that are upstream but not in a released version. – abbra Apr 18 '19 at 14:08
  • Thanks for your input. – rahul Apr 18 '19 at 15:27
  • I am able to create a one way trust between FreeIPA and AWS Simple AD following the process given as below link https://www.freeipa.org/page/Active_Directory_trust_setup I can get the AD users in FreeIPA server but FreeIPA client still not able to see the AD user. I mean I cannot Kinit ad-user@AD-domain in FreeIPA Client. – rahul May 10 '19 at 10:46
  • Getting Error like kinit: Cannot contact any KDC for realm user@XXXXXXXXXXXX – rahul May 10 '19 at 11:04