For what its worth, I dug through my emails with Red Hat tech support and
this is what we got back from the Identity Management support team:
-----------

I did some additional research and found another customer which had a
similar issue - our IPA development team has added some additional comments
on this:

    The external trust in AD has no explicit routing to the trusted
domain(no name suffix routing table). It may be a bug in putty as in the
Windows console it is possible to obtain a ticket for the explicitly IPA
host service principal. For non-external forest trust, things work well.

-----------

On Wed, Jun 21, 2017 at 5:03 AM, Tiemen Ruiten <t.rui...@rdmedia.com> wrote:

> I tried the GPO and that actually worked, thanks Robert. I had to specify
> all the subdomains we use as well in the value field (we have IPA-clients
> in several subdomains of i.rdmedia.com). It appears my issue is solved.
>
> Looking forward to hear what the Microsoft guys say.
>
> On 21 June 2017 at 00:41, Alexander Bokovoy <aboko...@redhat.com> wrote:
>
>> On ti, 20 kesä 2017, Robert Johnson wrote:
>>
>>> I ran into this exact same problem with my IPA domain in a one way
>>> external
>>> trust to our Windows 2012 R2 AD forest.  It appears that Microsoft may
>>> have
>>> removed the routing suffix option from the Windows 2012 R2 native forest
>>> trust gui.  My solution was to follow the instructions in the "Define
>>> host
>>> name-to-Kerberos realm mappings" section of this document from Microsoft:
>>> https://support.microsoft.com/en-us/help/947706/windows-serv
>>> er-2008-group-policy-settings-for-interoperability-with-non-
>>> microsoft-kerberos-realms
>>>
>> This document is not about a type of trust FreeIPA is using in the case
>> of external trust to AD (neither in a normal cross-forest trust).
>>
>> .
>>>
>>> Assuming the IPA realm name is the same as the domain name you would use:
>>> Value Name: I.RDMEDIA.COM
>>> Value: .i.rdmedia.com      (Notice the period at the beginning of the
>>> domain name)
>>>
>>> I applied the GPO to all of my workstations (not the servers) but I don't
>>> see any harm across all the windows systems.
>>>
>> It looks like the GPO change is more of a Kerberos settings modification
>> on AD side that basically is equivalent of krb5.conf's [domain_realm]
>> section and is not really related to the technology of the trust.
>>
>> BTW, I reproduced the original issue in a lab at the interop here at
>> Microsoft HQ and I'm going to talk to Microsoft guys to find out what is
>> happening there in reality.
>>
>>
>>
>>> Rob Johnson
>>>
>>> On Tue, Jun 20, 2017 at 3:04 PM, Alexander Bokovoy via FreeIPA-users <
>>> freeipa-users@lists.fedorahosted.org> wrote:
>>>
>>> On ti, 20 kesä 2017, Tiemen Ruiten via FreeIPA-users wrote:
>>>>
>>>> Please see the attached screenshot for the Trust settings, and thank you
>>>>> for your time.
>>>>>
>>>>> Thanks. I'm not sure why is that happening even for the immediate
>>>> forest
>>>> root domain that i.rdmedia.com is. I'll check with Microsoft doc help
>>>> team while here at the Redmond Interop 2017.
>>>>
>>>>
>>>> --
>>>> / Alexander Bokovoy
>>>> _______________________________________________
>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>>> To unsubscribe send an email to freeipa-users-le...@lists.fedo
>>>> rahosted.org
>>>>
>>>>
>> --
>> / Alexander Bokovoy
>>
>
>
>
> --
> Tiemen Ruiten
> Systems Engineer
> R&D Media
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to