[Freeipa-users] Cannot find KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues
Nathan Peters
nathan at nathanpeters.com
Wed May 6 04:14:52 UTC 2015
>From this link :
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/active-directory-trust.html#comp-trust-krb
The diagram in that section shows the client communicating with FreeIPA and
FreeIPA contacting AD.
So why are you saying the client authenticates with the AD DC directly?
Also this page here :
https://www.freeipa.org/page/Active_Directory_trust_setup
does not list having to add the AD domain in the krb5.conf. Is that not
necessary in the example because they are not using a different UPN for
their users like we are?
-----Original Message-----
From: Jakub Hrozek
Sent: Tuesday, May 05, 2015 8:43 PM
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Cannot find KDC for realm "MYDOMAIN.NET" - AD
trust and UPN issues
On Tue, May 05, 2015 at 02:21:40PM -0700, nathan at nathanpeters.com wrote:
> I'm a little confused by that.
>
> If I add the AD dc, will my client try to contact AD directly to get a
> ticket?
>
> Doesn't it have to do get the ticket through FreeIPA by proxy somehow?
No, authentication is always performed against an AD DC directly.
>
> And to confirm what you meant by add the AD dc and realm, it would be like
> this ?
>
> SUB.ADDOMAIN.NET = {
> kdc = dc1.addomain.net:88
> }
>
> I don't need the master_kdc, admin_server, default_domain entries?
With a recent version of libkrb5 I don't think you need to set
master_kdc, libkrb5 should be able to follow referrals itself.
admin_servre, if unset, defaults to KDC. default_domain doesn't need to
be set either.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list