[Freeipa-users] win2012 r2 and trust type = realm
lejeczek
peljasz at yahoo.co.uk
Tue May 17 15:11:25 UTC 2016
On Tue, 2016-05-17 at 17:10 +0300, Alexander Bokovoy wrote:
> On Tue, 17 May 2016, lejeczek wrote:
> > hi users/devs
> >
> > I've used wiki pages to set AD - IPA trust, and it always end up
> > being
> > realm type of trust (@ AC DC end) whereas wiki shows forest type.
> > What am I doing wrong?
> Probably because you are choosing wrong type of trust on AD side.
>
> Remove any trust with the same name as IPA on AD side and try to
> create
> the trust using 'ipa trust-add' command, as described in the wiki or
> in
> the documentation.
>
but ipa trust-add renders one-way type of trust, at least here for me,
is this correct?
I go to AD DC and see only one-way trust.
> >
> > I think I must be doing something wrong for having that trust
> > established (or I least I think I have it) when @IPA end I do:
> >
> > $ kinit Administrator at ad_dom
> > Password for Administrator at ad_dom:
> > kinit: KDC reply did not match expectations while getting initial
> > credentials
> >
>
> This is unrelated. In Kerberos realm is supposed to be in UPPER CASE. If
> you specified it in lower case, AD DC would accept that and would issue
> a ticket with corrected principal name but 'kinit' utility would not
> accept the changed principal.
>
> kinit Administrator at AD_DOM is what would you need to try. However, being
> able to kinit as AD user from IPA machine has nothing to do with IPA -
> AD trust.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160517/eaff38cb/attachment.htm>
More information about the Freeipa-users
mailing list