[Freeipa-users] win2012 r2 and trust type = realm
Alexander Bokovoy
abokovoy at redhat.com
Tue May 17 14:10:03 UTC 2016
On Tue, 17 May 2016, lejeczek wrote:
>hi users/devs
>
>I've used wiki pages to set AD - IPA trust, and it always end up being
>realm type of trust (@ AC DC end) whereas wiki shows forest type.
>What am I doing wrong?
Probably because you are choosing wrong type of trust on AD side.
Remove any trust with the same name as IPA on AD side and try to create
the trust using 'ipa trust-add' command, as described in the wiki or in
the documentation.
>I think I must be doing something wrong for having that trust
>established (or I least I think I have it) when @IPA end I do:
>
>$ kinit Administrator at ad_dom
>Password for Administrator at ad_dom:
>kinit: KDC reply did not match expectations while getting initial
>credentials
This is unrelated. In Kerberos realm is supposed to be in UPPER CASE. If
you specified it in lower case, AD DC would accept that and would issue
a ticket with corrected principal name but 'kinit' utility would not
accept the changed principal.
kinit Administrator at AD_DOM is what would you need to try. However, being
able to kinit as AD user from IPA machine has nothing to do with IPA -
AD trust.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list