[Freeipa-users] Cannot find KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues

[Angelo Pantano]

I have the exact same problem, have a windows AD that trusts IPA server and
an IPA client that connect to the IPA server via sssd.If I try to ssh on
the IPA client using an AD user it fails authentication. The same happens
if I try to su - ADuser.

Basically IPA server is not correctly proxying the requests to AD, I can
pull the info with getent, so I know the trust is working, but when I try
to authenticate it's always failing.

The relevant bits I found in the sssd logs suggests a problem contacting
the AD subdomain via kerberos

(Thu Jul  9 20:42:15 2015) [[sssd[krb5_child[12110]]]] [get_and_save_tgt]
(0x0020): 996: [-1765328230][Cannot find KDC for realm "AD.LOCAL"]

is there manual customization that I am missing that I need to put on krb5
or sssd.conf?

Angelo

> On 05/06/2015 12:14 AM, Nathan Peters wrote:

>>> From this link  :

>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/active-directory-trust.html#comp-trust-krb

>>

>>

>> The diagram in that section shows the client communicating with

>> FreeIPA and FreeIPA contacting AD.

>>

>> So why are you saying the client authenticates with the AD DC directly?

>

> You are looking at the older documentation. It is for RHEL6. Please use

> RHEL7.1 docs to get the latest info about 4.1 functionality.

>

Well according to the 7 docs here

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/active-directory-trust.html

it still shows in section 5.1.3.1 of that page that the sssd sends the

request on behalf of the client and the client never directly connects to

the AD dc.

Both the 6 and 7 docs show the exact same diagram.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150709/efe1883e/attachment.htm>