[Freeipa-users] Trust with Active Directory fails
Alexander Bokovoy
abokovoy at redhat.com
Mon Feb 9 17:50:11 UTC 2015
On Mon, 09 Feb 2015, Guertin, David S. wrote:
>> For Active Directory cross-forest trusts to work, we need following records
>> to be in place:
>>
>> _ldap._tcp.<DOMAIN>
>> _kerberos._udp.<DOMAIN>
>> _kerberos._tcp.<DOMAIN>
>> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.<DOMAIN>
>> _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.<DOMAIN>
>> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.<DOMAIN>
>> _ldap._tcp.dc._msdcs.<DOMAIN>
>> _kerberos._udp.dc._msdcs.<DOMAIN>
>> _kerberos._tcp.dc._msdcs.<DOMAIN>
>
>I've checked with nslookup, and for the IPA subdomain csns.example.com, all the records are in place. For the parent example.com domain, though, the following four records are not found:
>
>_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.example.com
>_kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.example.com
>_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.example.com
>_kerberos._udp.dc._msdcs.example.com
>
>Do these need to be manually added to our DNS records? I've never had
>to manually add an SRV record before. If it matters, we are not using
>our domain controllers as our DNS servers -- we have separate,
>dedicated DNS servers in our environment.
Can you send me (off-list) logs as described in
http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Debugging_trust
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list