[Freeipa-users] Cross domain trust
Alexander Bokovoy
abokovoy at redhat.com
Wed Feb 5 21:09:57 UTC 2014
On Wed, 05 Feb 2014, Steve Dainard wrote:
>After the initial setup of a trust I'm attempting to get kerberos tickets
>against the AD domain.
>
>Step 12 in this document:
>https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-diff-dns-domains.htmlsays:
>
>Then, request service tickets for services within the Active Directory
>domain.
>[root at ipaserver ]# kvno cifs/adserver.adexample.com at AD.DOMAIN
>If the Active Directory service ticket is succcessfully granted, then there
>will be a cross-realm TGT listed with all of the other requested tickets.
>This will have the name krbtgt/AD.DOMAIN at IPA.DOMAIN.
>
>I get an error back:
># kvno cifs/dc1.miovision.corp at MIOVISION.CORP
>kvno: Server not found in Kerberos database while getting credentials for
>cifs/dc1.miovision.corp at MIOVISION.CORP
Can you try 'KRB5_TRACE=/dev/stderr kvno -S cifs dc1.miovision.corp'?
Ideally, I'd like to see your /etc/krb5.conf, it should have mapping
between AD DNS domain and AD realm so that IPA KDC will be able to route
the ticket request properly to the AD DC. Without that it may assume
miovision.corp belongs to the IPA realm.
>
>But I do have a krbtgt ticket/AD domain:
>
># klist
>Ticket cache: FILE:/tmp/krb5cc_0
>Default principal: sdainard-root at MIOLINUX.CORP
>
>Valid starting Expires Service principal
>02/05/14 14:21:06 02/06/14 14:21:06 krbtgt/MIOLINUX.CORP at MIOLINUX.CORP
>02/05/14 14:21:17 02/06/14 14:21:06 host/ipa1.miolinux.corp at MIOLINUX.CORP
>02/05/14 14:21:20 02/06/14 14:21:06 krbtgt/MIOVISION.CORP at MIOLINUX.CORP
>
>Also, is it normal to not find the Linux realm listed in the domain trust
>list on the AD DC?
It should be listed there. If it is not listed, it means no real trust
is established on the AD side.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list