I tried the GPO and that actually worked, thanks Robert. I had to specify
all the subdomains we use as well in the value field (we have IPA-clients
in several subdomains of i.rdmedia.com). It appears my issue is solved.

Looking forward to hear what the Microsoft guys say.

On 21 June 2017 at 00:41, Alexander Bokovoy <aboko...@redhat.com> wrote:

> On ti, 20 kesä 2017, Robert Johnson wrote:
>
>> I ran into this exact same problem with my IPA domain in a one way
>> external
>> trust to our Windows 2012 R2 AD forest.  It appears that Microsoft may
>> have
>> removed the routing suffix option from the Windows 2012 R2 native forest
>> trust gui.  My solution was to follow the instructions in the "Define host
>> name-to-Kerberos realm mappings" section of this document from Microsoft:
>> https://support.microsoft.com/en-us/help/947706/windows-serv
>> er-2008-group-policy-settings-for-interoperability-with-non-
>> microsoft-kerberos-realms
>>
> This document is not about a type of trust FreeIPA is using in the case
> of external trust to AD (neither in a normal cross-forest trust).
>
> .
>>
>> Assuming the IPA realm name is the same as the domain name you would use:
>> Value Name: I.RDMEDIA.COM
>> Value: .i.rdmedia.com      (Notice the period at the beginning of the
>> domain name)
>>
>> I applied the GPO to all of my workstations (not the servers) but I don't
>> see any harm across all the windows systems.
>>
> It looks like the GPO change is more of a Kerberos settings modification
> on AD side that basically is equivalent of krb5.conf's [domain_realm]
> section and is not really related to the technology of the trust.
>
> BTW, I reproduced the original issue in a lab at the interop here at
> Microsoft HQ and I'm going to talk to Microsoft guys to find out what is
> happening there in reality.
>
>
>
>> Rob Johnson
>>
>> On Tue, Jun 20, 2017 at 3:04 PM, Alexander Bokovoy via FreeIPA-users <
>> freeipa-users@lists.fedorahosted.org> wrote:
>>
>> On ti, 20 kesä 2017, Tiemen Ruiten via FreeIPA-users wrote:
>>>
>>> Please see the attached screenshot for the Trust settings, and thank you
>>>> for your time.
>>>>
>>>> Thanks. I'm not sure why is that happening even for the immediate forest
>>> root domain that i.rdmedia.com is. I'll check with Microsoft doc help
>>> team while here at the Redmond Interop 2017.
>>>
>>>
>>> --
>>> / Alexander Bokovoy
>>> _______________________________________________
>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>> To unsubscribe send an email to freeipa-users-le...@lists.fedo
>>> rahosted.org
>>>
>>>
> --
> / Alexander Bokovoy
>



-- 
Tiemen Ruiten
Systems Engineer
R&D Media
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to