[Freeipa-users] Cannot find KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues
Jakub Hrozek
jhrozek at redhat.com
Wed May 6 03:43:25 UTC 2015
On Tue, May 05, 2015 at 02:21:40PM -0700, nathan at nathanpeters.com wrote:
> I'm a little confused by that.
>
> If I add the AD dc, will my client try to contact AD directly to get a
> ticket?
>
> Doesn't it have to do get the ticket through FreeIPA by proxy somehow?
No, authentication is always performed against an AD DC directly.
>
> And to confirm what you meant by add the AD dc and realm, it would be like
> this ?
>
> SUB.ADDOMAIN.NET = {
> kdc = dc1.addomain.net:88
> }
>
> I don't need the master_kdc, admin_server, default_domain entries?
With a recent version of libkrb5 I don't think you need to set
master_kdc, libkrb5 should be able to follow referrals itself.
admin_servre, if unset, defaults to KDC. default_domain doesn't need to
be set either.
More information about the Freeipa-users
mailing list