[Freeipa-users] problems with trust with AD (2 different domains
Natxo Asenjo
natxo.asenjo at gmail.com
Fri Apr 19 12:16:32 UTC 2013
On Fri, Apr 19, 2013 at 1:08 PM, Sumit Bose <sbose at redhat.com> wrote:
> On Fri, Apr 19, 2013 at 12:47:47PM +0200, Natxo Asenjo wrote:
> > hi,
> >
> > just a little 'but'.
> >
> > when verifying the trust (point 12
> >
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-diff-dns-domains.html
> )
> >
> >
> > # kinit user
> > Password for nasenjo at IPA.ASENJO.NX:
> > [root at kdc ~]# kvno host/host.ipa.asenjo.nx at IPA.ASENJO.NX
> > host/host.ipa.asenjo.nx at IPA.ASENJO.NX: kvno = 2
> > [root at kdc ~]# kvno cifs/win2k8.ad.asenjo.nx at AD.ASENJO.NX
> > kvno: KDC policy rejects request while getting credentials for
> > cifs/win2k8.ad.asenjo.nx at AD.ASENJO.NX
>
> Can you check if klist shows a cross-realm ticket like
> krbtgt/AD.REALM at IPA.REALM after the second kvno call? If yes, if might
> be a policy on the AD side which rejects the request.
>
> hi,
yes, the krbtgt ticket for the AD domain is there all right.
let's try to find out where to allow that request then.
--
Groeten,
natxo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130419/443cdc62/attachment.htm>
More information about the Freeipa-users
mailing list