[Freeipa-users] Cannot find KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues
Jakub Hrozek
jhrozek at redhat.com
Fri Jul 10 14:47:56 UTC 2015
On Thu, Jul 09, 2015 at 08:59:11PM -0700, Angelo Pantano wrote:
> I have the exact same problem, have a windows AD that trusts IPA server and
> an IPA client that connect to the IPA server via sssd.If I try to ssh on
> the IPA client using an AD user it fails authentication. The same happens
> if I try to su - ADuser.
>
> Basically IPA server is not correctly proxying the requests to AD, I can
> pull the info with getent, so I know the trust is working,
Are you sure SSSD is not just returning records from cache? Do you have
full SSSD logs?
> but when I try
> to authenticate it's always failing.
>
> The relevant bits I found in the sssd logs suggests a problem contacting
> the AD subdomain via kerberos
>
> (Thu Jul 9 20:42:15 2015) [[sssd[krb5_child[12110]]]] [get_and_save_tgt]
> (0x0020): 996: [-1765328230][Cannot find KDC for realm "AD.LOCAL"]
The original poster had non-standard UPNs, so the users with those UPNs
were failing. Is that your case also or do all users fail like this?
More information about the Freeipa-users
mailing list