[Freeipa-users] Cross domain trust
Alexander Bokovoy
abokovoy at redhat.com
Wed Feb 5 21:21:02 UTC 2014
On Wed, 05 Feb 2014, Alexander Bokovoy wrote:
>On Wed, 05 Feb 2014, Steve Dainard wrote:
>>After the initial setup of a trust I'm attempting to get kerberos tickets
>>against the AD domain.
>>
>>Step 12 in this document:
>>https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-diff-dns-domains.htmlsays:
>>
>>Then, request service tickets for services within the Active Directory
>>domain.
>>[root at ipaserver ]# kvno cifs/adserver.adexample.com at AD.DOMAIN
>>If the Active Directory service ticket is succcessfully granted, then there
>>will be a cross-realm TGT listed with all of the other requested tickets.
>>This will have the name krbtgt/AD.DOMAIN at IPA.DOMAIN.
>>
>>I get an error back:
>># kvno cifs/dc1.miovision.corp at MIOVISION.CORP
>>kvno: Server not found in Kerberos database while getting credentials for
>>cifs/dc1.miovision.corp at MIOVISION.CORP
>Can you try 'KRB5_TRACE=/dev/stderr kvno -S cifs dc1.miovision.corp'?
>
>Ideally, I'd like to see your /etc/krb5.conf, it should have mapping
>between AD DNS domain and AD realm so that IPA KDC will be able to route
>the ticket request properly to the AD DC. Without that it may assume
>miovision.corp belongs to the IPA realm.
Actually, that mapping should be generated by sssd in
/var/lib/sss/pubconf/krb5.include.d/domain_realm_miolinux_corp
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list