[Freeipa-users] Samba Server setup
Alexander Bokovoy
abokovoy at redhat.com
Fri Sep 16 17:02:16 UTC 2016
On Fri, 16 Sep 2016, Brook, Andy [CRI] wrote:
> You can replace actual hostnames/realm names/IP addresses by something more generic
> in the output when sending to the list, but please do it consistently.
>
>I’m sorry. I thought I had been consistent when making changes, but
>from your response, it looks like I wasn’t. I’m sorry about that. I got
>yelled at by our security team last time we sent logs to a public list
>that had any type of identifiable information in them, so it’s sort of
>a new process for me. I think I have it down now.
>
>The results of the commands are here: http://pastebin.com/PRwr7wv6
So IPA side works fine -- on IPA client you can kinit as AD user and
then obtain cross-realm TGT to IPA realm and use that cross-realm TGT to
request a service ticket to cifs/... service. That's good.
You need to identify what happens on AD side. A possible issue is that
name suffix routing to IPA domain is disabled.
Can you provide output of netdom.exe run on Windows side:
netdom trust addom.domain /namesuffixes: ipa.domain
You should get something like example 28 on the page
https://msdn.microsoft.com/en-us/library/cc776879(v=ws.10).aspx
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list