[Freeipa-users] Cannot find KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues

[Dmitri Pal]

On 05/06/2015 12:14 AM, Nathan Peters wrote:
>> From this link  : 
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/active-directory-trust.html#comp-trust-krb 
>
>
> The diagram in that section shows the client communicating with 
> FreeIPA and FreeIPA contacting AD.
>
> So why are you saying the client authenticates with the AD DC directly?

You are looking at the older documentation. It is for RHEL6. Please use 
RHEL7.1 docs to get the latest info about 4.1 functionality.

>
> Also this page here : 
> https://www.freeipa.org/page/Active_Directory_trust_setup
>
> does not list having to add the AD domain in the krb5.conf.  Is that 
> not necessary in the example because they are not using a different 
> UPN for their users like we are?
>
> -----Original Message----- From: Jakub Hrozek
> Sent: Tuesday, May 05, 2015 8:43 PM
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Cannot find KDC for realm "MYDOMAIN.NET" 
> - AD trust and UPN issues
>
> On Tue, May 05, 2015 at 02:21:40PM -0700, nathan at nathanpeters.com wrote:
>> I'm a little confused by that.
>>
>> If I add the AD dc, will my client try to contact AD directly to get a
>> ticket?
>>
>> Doesn't it have to do get the ticket through FreeIPA by proxy somehow?
>
> No, authentication is always performed against an AD DC directly.
>
>>
>> And to confirm what you meant by add the AD dc and realm, it would be 
>> like
>> this ?
>>
>> SUB.ADDOMAIN.NET = {
>>  kdc = dc1.addomain.net:88
>> }
>>
>> I don't need the master_kdc, admin_server, default_domain entries?
>
> With a recent version of libkrb5 I don't think you need to set
> master_kdc, libkrb5 should be able to follow referrals itself.
> admin_servre, if unset, defaults to KDC. default_domain doesn't need to
> be set either.
>


-- 
Thank you,
Dmitri Pal

Director of Engineering for IdM portfolio
Red Hat, Inc.