[Freeipa-users] one way AD trust relationship
Sumit Bose
sbose at redhat.com
Fri Feb 6 11:39:43 UTC 2015
On Fri, Feb 06, 2015 at 10:16:37AM +0200, Alexander Bokovoy wrote:
> On Thu, 05 Feb 2015, Nicolas Zin wrote:
> >Hi,
> >
> >is it possible to create a one way AD trust relationship with FreeIPA/IDM 3.3?
> No.
>
> >- From Windows I created an incoming one-way trust relationship, with a trust-secret
> >- on Linux I use the trust-secret with ipa: ipa trust-add --type=ad ipawindows.mtl.sfl --trust-secret
> >
> >everything seems to be fine, but when I try
> >kinit Administrator at ipawindows.mtl.sfl
> >kinit: KDC reply did not match expectations while getting initial credentials
Nevertheless the error you see is not related to trust in the first
place. kinit on Linux clients expects a Kerberos principal as argument
which in general is case sensitive. I would expect that either
kinit -C Administrator at ipawindows.mtl.sfl
or
kinit Administrator at IPAWINDOWS.MTL.SFL
will work for you. But please note that this is not an indication that
the trust is working in general. For this you should try to get a
Kerberos service ticket for a service from your IPA domain e.g. with
kvno.
bye,
Sumit
> >
> >I tried others ways, but I wonder if it is possible to have a one-way trust relationship?
> One-way trust is not supported yet. I'm in the process of writing a
> set of design documents and opening tickets for various missing parts.
> We hope to get it done within the scope of FreeIPA 4.2.
>
> --
> / Alexander Bokovoy
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list