Hi, I am trying to setup the freeipa Active Directory trust setup and i am following the http://www.freeipa.org/page/Active_Directory_trust_setup documentation.
I am able to login on freeipa Server with AD users. But when i am trying to login with some other IPA client machine I am not able to to login with AD user. Required firewall port is opened between freeipa server to AD server and freeipa server to freeipa clinets There is no firewall port is opened between from freeipa client to AD server. ================================================================= against addomain from ipaserver :- ipa01 ~]# KRB5_TRACE=/dev/stdout kinit raja...@ad.addomain.com [24633] 1476069033.462976: Resolving unique ccache of type KEYRING [24633] 1476069033.463027: Getting initial credentials for raja...@ad.addomain.com [24633] 1476069033.465229: Sending request (183 bytes) to AD.ADDOMAIN.COM [24633] 1476069033.471891: Resolving hostname ad1.ad.addomain.com [24633] 1476069033.474439: Sending initial UDP request to dgram 192.168.20.100:88 [24633] 1476069033.487765: Received answer (212 bytes) from dgram 192.168.20.100:88 [24633] 1476069033.488098: Response was not from master KDC [24633] 1476069033.488136: Received error from KDC: -1765328359/Additional pre-authentication required [24633] 1476069033.488179: Processing preauth types: 16, 15, 19, 2 [24633] 1476069033.488192: Selected etype info: etype aes256-cts, salt "AD.ADDOMAIN.COMRajat.Gupta", params "" [24633] 1476069033.488215: PKINIT client has no configured identity; giving up [24633] 1476069033.488233: PKINIT client has no configured identity; giving up [24633] 1476069033.488242: Preauth module pkinit (16) (real) returned: 22/Invalid argument [24633] 1476069033.488250: PKINIT client has no configured identity; giving up [24633] 1476069033.488255: Preauth module pkinit (14) (real) returned: 22/Invalid argument Password for raja...@ad.addomain.com: this is working fine. ================================================================= ================================================================= against addomain from ipaclinet :- *ipaclinet ~] # KRB5_TRACE=/dev/stdout kinit raja...@ad.addomain.com <raja...@ad.addomain.com>[4133] 1476067599.43421: Getting initial credentials for raja...@ad.addomain.com <http://AD.ADDOMAIN.COM>[4133] 1476067599.43599: Sending request (183 bytes) to AD.ADDOMAIN.COM <http://AD.ADDOMAIN.COM>* *[4133] 1476067599.49544: Resolving hostname * *ad1.ad.addomain.com <http://ad1.ad.addomain.com>.* *[4133] 1476067599.53762: Sending initial UDP request to dgram 192.168.20.100* NOT WORKING ================================================================= ================================================================= against ipdomain from ipaclinet # KRB5_TRACE=/dev/stdout kinit admin@IPA.IPASERVER.LOCAL [4914] 1476068067.763574: Getting initial credentials for admin@IPA.IPASERVER.LOCAL [4914] 1476068067.763889: Sending request (177 bytes) to IPA.IPASERVER.LOCAL [4914] 1476068067.764033: Initiating TCP connection to stream 10.246.104.14:88 [4914] 1476068067.765089: Sending TCP request to stream 192.168.100.100:88 [4914] 1476068067.767593: Received answer (356 bytes) from stream 192.168.100.100:88 [4914] 1476068067.767603: Terminating TCP connection to stream 192.168.100.100:88 [4914] 1476068067.767661: Response was from master KDC [4914] 1476068067.767685: Received error from KDC: -1765328359/Additional pre-authentication required [4914] 1476068067.767730: Processing preauth types: 136, 19, 2, 133 [4914] 1476068067.767742: Selected etype info: etype aes256-cts, salt "k},(k&+qA)Mosf6z", params "" [4914] 1476068067.767747: Received cookie: MIT Password for admin@IPA.IPASERVER.LOCAL: this is working fine. ================================================================= it looks for password-based authentication requests, the IPA clients connect directly to the AD servers using Kerberos. then there is port firewall opening required between ipaclinet and AD Server as well. Is it required ? OR I am doing something wrong. /Rajat -- *Rajat Gupta *
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code