When I am trying to add trust from FreeIPA to Active Directory I am getting an "Access denied" error:
[root@ipa centos]# ipa trust-add --type=ad test.XXXXX.com --admin Admin --
password
Active Directory domain administrator's password:
ipa: ERROR: CIFS server communication error: code "3221225506", message "{Access Denied} A process has requested access to an object but has not been granted those access rights." (both may be "None")
My Active Directory is an AWS Managed AD and admin is the default user for AWS managed AD.
I think Admin user does not have permission for AD trust.
But I tried to give administrator privileges in AD for admin user but it says "Insufficient Privileges".
I am stuck. Can anyone help me out?
Thanks
AWS AD does not allow to establish trust the way how FreeIPA implements it. AWS AD expects you are using a shared secret on both sides of the trust and then validates it from AWS AD side. This is currently not working for a released version of FreeIPA.
The fix is in FreeIPA upstream already but it will take some time to be released and trickle down to distributions.