[Freeipa-users] problems with trust with AD (2 different domains
Sumit Bose
sbose at redhat.com
Fri Apr 19 11:08:54 UTC 2013
On Fri, Apr 19, 2013 at 12:47:47PM +0200, Natxo Asenjo wrote:
> hi,
>
> just a little 'but'.
>
> when verifying the trust (point 12
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-diff-dns-domains.html)
>
>
> # kinit user
> Password for nasenjo at IPA.ASENJO.NX:
> [root at kdc ~]# kvno host/host.ipa.asenjo.nx at IPA.ASENJO.NX
> host/host.ipa.asenjo.nx at IPA.ASENJO.NX: kvno = 2
> [root at kdc ~]# kvno cifs/win2k8.ad.asenjo.nx at AD.ASENJO.NX
> kvno: KDC policy rejects request while getting credentials for
> cifs/win2k8.ad.asenjo.nx at AD.ASENJO.NX
Can you check if klist shows a cross-realm ticket like
krbtgt/AD.REALM at IPA.REALM after the second kvno call? If yes, if might
be a policy on the AD side which rejects the request.
bye,
Sumit
>
> --
> groet,
> natxo
More information about the Freeipa-users
mailing list