[Freeipa-users] problems with trust with AD (2 different domains

Sumit Bose sbose at redhat.com
Fri Apr 19 10:58:37 UTC 2013 

On Fri, Apr 19, 2013 at 12:37:30PM +0200, Natxo Asenjo wrote:
> I modified /etc/sysconfig/network
> HOSTNAME=kdc.ipa.asenjo.nx
> 
> rebooted the host. Re-ran
> 
> # smbclient -L kdc.ipa.asenjo.nx -klp_load_ex: changing to config backend
> registry
> Domain=[IPA] OS=[Unix] Server=[Samba 4.0.0rc4]
> 
>     Sharename       Type      Comment
>     ---------       ----      -------
>     IPC$            IPC       IPC Service (Samba 4.0.0rc4)
> Domain=[IPA] OS=[Unix] Server=[Samba 4.0.0rc4]
> 
> Tha was ok.
> 
> re-ran:
> 
> # ipa trust-add --type=ad ad.asenjo.nx --admin Administrator --password
> Active directory domain administrator's password:
> -----------------------------------------------------
> Added Active Directory trust for realm "ad.asenjo.nx"
> -----------------------------------------------------
>   Realm name: ad.asenjo.nx
>   Domain NetBIOS name: AD
>   Domain Security Identifier: S-1-5-21-2508008360-1834726910-79835928
>   Trust direction: Two-way trust
>   Trust type: Active Directory domain
>   Trust status: Established and verified
> 
> And it is working :-)
> 
> Awesome.

Great.

Please note that having hostname to return a fully qualified host name
is not a new requirement coming with the trust feature. It was always
recommended because also other services like sshd, httpd, sssd might
have problems finding the right Kerberos keys from their keytabs.

bye,
Sumit
> 
> Thanks!
> 
> -- 
> groet,
> natxo
> 
> 
> --
> Groeten,
> natxo
> 
> 
> On Fri, Apr 19, 2013 at 12:11 PM, Sumit Bose <sbose at redhat.com> wrote:
> 
> > On Fri, Apr 19, 2013 at 11:45:47AM +0200, Natxo Asenjo wrote:
> > > I saw there is a log in /var/log/samba/log.wb-IPA
> > >
> > > The log complains about missing keys for the spn for the hostname (not
> > the
> > > fqdn, just the hostname):
> > >
> > >  Connection to LDAP server failed for the 15 try!
> > > [2013/04/19 11:39:22.352522,  0] ipa_sam.c:3689(bind_callback_cleanup)
> > >   kerberos error: code=-1765328203, message=Keytab contains no suitable
> > > keys for cifs/kdc at IPA.ASENJO.NX
> >
> > Can you check if
> >
> > $ hostname
> >
> > returns the fully qualified hostname, if not, please fix this, call
> > ipactl stop and ipactl start and try again.
> >
> > bye,
> > Sumit
> >
> > >
> > >
> > > --
> > > Groeten,
> > > natxo
> >

More information about the Freeipa-users mailing list