[Freeipa-users] Unable to enumerate IPA users from AD side of 2-way trust due to kerberos error
Alexander Bokovoy
abokovoy at redhat.com
Tue May 17 16:31:56 UTC 2016
On Tue, 17 May 2016, John Meyers wrote:
>All,
>
>I have established a 2-way forest trust between FreeIPA (4.2.4-1.fc23)
>and AD (Windows 2012R2). The IPA side works perfect and AD users can
>authenticate against IPA resources. However, when one tries to add an
>IPA user or group to a Windows permission set (e.g. an NTFS ACL or user
>right), Windows successfully obtains a Kerberos ticket for the IPA user
>but then fails when trying to obtain the LDAP principal of the IPA
>server. KDC logs follows:
The other leg is not supported.
Read http://www.freeipa.org/page/V4/One-way_trust#Design for details.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list