<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jan 5, 2016 at 7:31 PM, Natxo Asenjo <span dir="ltr"><<a href="mailto:natxo.asenjo@gmail.com" target="_blank">natxo.asenjo@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><span class=""></span><div class="gmail_extra">includedir /var/lib/sss/pubconf/krb5.include.d/<br>#File modified by ipa-client-install<br><br>[libdefaults]<br>  default_realm = IPA.DOMAIN.TLD<br>  dns_lookup_realm = true<br>  dns_lookup_kdc = true<br>  rdns = false<br>  ticket_lifetime = 24h<br>  forwardable = yes<br><br>[realms]<br>  IPA.DOMAIN.TLD = {<br>    pkinit_anchors = FILE:/etc/ipa/ca.crt<br>  }<br><br>[domain_realm]<br>  .ipa.domain.tld = IPA.DOMAIN.TLD<br>  ipa.domain.tld = IPA.DOMAIN.TLD<span class="HOEnZb"><font color="#888888"><br><br></font></span></div>]$ cat /etc/krb5.conf</div></blockquote><div><br></div><div>with this config I can reach any realm, by the way, provided it has srv records. It works for our AD forests as well. <br></div></div><br><div class="gmail_signature">--<br>Groeten,<br>natxo</div>
</div></div>