[Freeipa-users] Cross Domain Trust
Zoske, Fabian
f.zoske at euroimmun.de
Tue Dec 15 23:29:46 UTC 2015
In the Ubuntu krb5.conf are 2 lines more:
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
The nameservers on both system types are identical and pointing to our AD-Domain Controller.
On the AD-Servers the ipa-domain.com is a conditional forwarder to the IPA-Server.
I changed the name server configuration on a CentOS just to be sure, but it doesn’t had any effect.
Best regards,
Fabian
> On 15 Dec 2015, at 13:38, Sumit Bose <sbose at redhat.com> wrote:
>
> On Tue, Dec 15, 2015 at 10:58:09AM +0000, Zoske, Fabian wrote:
>> I’ve setup an IPA-Server with a handful of clients and AD-Trust.
>> The server is a CentOS7.1 with IPA4.1 and the clients are mostly Ubuntu Server 14.04 LTS.
>> Our IPA-Domain is like ipa-domain.com and our AD-Domain is like ad-domain.local, but our user principals in AD are user at old-domain.com<mailto:user at old-domain.com> for backward compatibility.
>>
>> On the Ubuntu clients I can login with my AD-Credentials, but when trying to do the same on a joined CentOS Server I can’t login.
>> In the logs I can see, that there is no KDC for OLD-DOMAIN.COM is found.
>>
>> Why does this scenario works on Ubuntu but not on CentOS?
>> Can I do something about this?
>
> Are there any differences in /etc/krb5.conf on the Ubuntu client and on
> the CentOS servers?
>
> What name servers are configured? Typically the clients should use the
> IPA server as a name server.
>
> bye,
> Sumit
>
>>
>> Best regards,
>> Fabian
>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>
More information about the Freeipa-users
mailing list