<html> <head> <meta content="text/html; charset=KOI8-R" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> On 09/20/2013 03:21 PM, íÉČÁÉĚ á wrote: <blockquote cite="mid:CALtTMp+NR7KxxG27ESxQtgwM8pFxF=k_62b184-c9TOztA0OiQ@mail.gmail.com" type="cite"> <div dir="ltr">hi! TRUST OK! <div>dig SRV _ldap._tcp.wiindomain-------ok win serv SRV</div> <div>dig SRV _ldap._tcp.ipadomain.wiindomain------ok serv SRV<br> </div> <div>dns1:ipaserver1</div> <div>dns2:winserv1</div> <div>sorry for my english</div> </div> </blockquote> <br> Please do not reply to me directly, reply to the list.<br> This way people would be able too see and continue conversation.<br> When I asked about DNS, I was asking about the relation between windows DNS and IPA. AFAIU in the setup you delegate a DNS zone from AD DNS to IPA. Is that the case?<br> <br> Also on the client please change the debug_level in sssd.conf to 9 or use a bitmask (see `man sssd.conf` on the client and search for debug_level), restart sssd and provide sssd logs to the list. Do not forget to sanitize them.<br> <br> We will be able to see what is going on in SSSD and why it does not get the user.<br> BTW, have you restarted SSSD after adding trust? If so sssd might not yet know that the trust was added. We have a ticket about it. Please try restarting SSSD.<br> <br> Thanks<br> Dmitri<br> <blockquote cite="mid:CALtTMp+NR7KxxG27ESxQtgwM8pFxF=k_62b184-c9TOztA0OiQ@mail.gmail.com" type="cite"> <div dir="ltr"> </div> <div class="gmail_extra"><br> <br> <div class="gmail_quote">2013/9/20 Dmitri Pal <span dir="ltr"><<a moz-do-not-send="true" href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span><br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div bgcolor="#FFFFFF" text="#000000"> <div> <div class="h5"> On 09/18/2013 11:42 AM, íÉČÁÉĚ á wrote: </div> </div> <blockquote type="cite"> <div> <div class="h5"> <div dir="ltr"> <div>Hi,</div> <span style="font-family:arial,sans-serif;font-size:12.727272033691406px">šDo I need network access to ports from the ipa-client to the server-</span><br style="font-family:arial,sans-serif;font-size:12.727272033691406px"> <span style="font-family:arial,sans-serif;font-size:12.727272033691406px">šwindows for authentication with windomain accounts?</span><br style="font-family:arial,sans-serif;font-size:12.727272033691406px"> <span style="font-family:arial,sans-serif;font-size:12.727272033691406px">šipa-server fedora19</span><br style="font-family:arial,sans-serif;font-size:12.727272033691406px"> <span style="font-family:arial,sans-serif;font-size:12.727272033691406px">šipa-client fedora19</span><br style="font-family:arial,sans-serif;font-size:12.727272033691406px"> <span style="font-family:arial,sans-serif;font-size:12.727272033691406px">šwinserver win2012</span><br style="font-family:arial,sans-serif;font-size:12.727272033691406px"> <span style="font-family:arial,sans-serif;font-size:12.727272033691406px">šthe ipa-client is located in another network</span><br style="font-family:arial,sans-serif;font-size:12.727272033691406px"> <span style="font-family:arial,sans-serif;font-size:12.727272033691406px">šwithin the network ipa-server, ipa-client and windows-server</span><br style="font-family:arial,sans-serif;font-size:12.727272033691406px"> <span style="font-family:arial,sans-serif;font-size:12.727272033691406px">šauthentication works</span><br style="font-family:arial,sans-serif;font-size:12.727272033691406px"> <span style="font-family:arial,sans-serif;font-size:12.727272033691406px">što the ipa-client:</span><br style="font-family:arial,sans-serif;font-size:12.727272033691406px"> <span style="font-family:arial,sans-serif;font-size:12.727272033691406px">š#id windomainuser@windomain</span><br style="font-family:arial,sans-serif;font-size:12.727272033691406px"> <span style="font-family:arial,sans-serif;font-size:12.727272033691406px">šid: windomainuser@windomain: No such user</span><br style="font-family:arial,sans-serif;font-size:12.727272033691406px"> <span style="font-family:arial,sans-serif;font-size:12.727272033691406px">šplease tell me what I'm doing wrong</span><br> </div> <br> <fieldset></fieldset> <br> </div> </div> <pre>_______________________________________________ Freeipa-users mailing list <a moz-do-not-send="true" href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a> <a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre> </blockquote> <br> We need to understand more about your setup.<br> Are you using trusts?<br> What is your DNS configuration?<br> <br> Generally if you are using trusts than clients should be able to resolve AD server and connect to it.<span class="HOEnZb"><font color="#888888"><br> <br> <pre cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? <a moz-do-not-send="true" href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a> </pre> </font></span></div> <br> _______________________________________________<br> Freeipa-users mailing list<br> <a moz-do-not-send="true" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br> <a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br> </blockquote> </div> <br> </div> </blockquote> <br> <br> <pre class="moz-signature" cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? <a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a> </pre> </body> </html>