We've setup a two-way trust with AD and it seems to have worked, but it
doesn't look like it is working correctly.

The kerberos commands (kinit and kvno) work fine, but things like 'id
adu...@addomain.example.com' and 'getent passwd adu...@addomain.example.com'
don't work.

# ipa trust-add --type ad addomain.example.com --admin adadmin --password
Active Directory domain administrator's password:
Added Active Directory trust for realm "addomain.example.com"
  Realm name: addomain.example.com
  Domain NetBIOS name: ADDOMAIN
  Domain Security Identifier: S-1-5-21-2229161606-873856335-779138662
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified

# kinit adu...@addomain.example.com
Password for adu...@addomain.example.com:

# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_o3D2R5S
Default principal: adu...@addomain.example.com

Valid starting       Expires              Service principal
07/20/2017 12:16:41  07/20/2017 22:16:41  krbtgt/
renew until 07/21/2017 12:16:38

# id adu...@addomain.example.com
id: ‘adu...@addomain.example.com’: no such user

Is this the best way to test the trust?

We are running FreeIPA 4.4 and Windows Server 2012 R2

When setting up the trust we needed to modify /etc/hosts as described in

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to