Hi All, I am setting up a one-way trust from FreeIPA server to AD domain with a pre-shared key.
It seems that it was set up successfully but I cannot verify the Kerberos configuration when I follow the steps described here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-during.html#create-a-trust. Although I successfuly kinit with a username from AD domain and obtain a ticket: klist Ticket cache: KEYRING:persistent:0:0 Default principal: testu...@domain.com Valid starting Expires Service principal 08/22/2017 09:47:41 08/22/2017 19:47:41 krbtgt/domain....@domain.com renew until 08/23/2017 09:47:34 I am not able to request service tickets for a service within IdM domain: [root@idm1 ~]# KRB5_TRACE=/dev/stdout kvno -S host idm1.ipa.domain.com [16119] 1503409696.153004: Getting credentials testu...@domain.com -> host/idm1.ipa.domain....@ipa.domain.com using ccache KEYRING:persistent:0:0 [16119] 1503409696.153288: Retrieving testu...@domain.com -> host/idm1.ipa.domain....@ipa.domain.com from KEYRING:persistent:0:0 with result: -1765328243/Matching credential not found [16119] 1503409696.153422: Retrieving testu...@domain.com -> krbtgt/ipa.domain....@ipa.domain.com from KEYRING:persistent:0:0 with result: -1765328243/Matching credential not found [16119] 1503409696.153520: Retrieving testu...@domain.com -> krbtgt/domain....@domain.com from KEYRING:persistent:0:0 with result: 0/Success [16119] 1503409696.153536: Starting with TGT for client realm: testu...@domain.com -> krbtgt/domain....@domain.com [16119] 1503409696.153600: Retrieving testu...@domain.com -> krbtgt/ipa.domain....@ipa.domain.com from KEYRING:persistent:0:0 with result: -1765328243/Matching credential not found [16119] 1503409696.153609: Requesting TGT krbtgt/ipa.domain....@domain.com using TGT krbtgt/domain....@domain.com [16119] 1503409696.153663: Generated subkey for TGS request: aes256-cts/A13D [16119] 1503409696.153718: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts, des-cbc-crc, des, des-cbc-md4 [16119] 1503409696.153875: Encoding request body and padata into FAST request [16119] 1503409696.153942: Sending request (1851 bytes) to DOMAIN.COM [16119] 1503409696.154236: Resolving hostname domain.com [16119] 1503409696.290796: Initiating TCP connection to stream 10.10.10.10:88 [16119] 1503409696.398086: Sending TCP request to stream 10.10.10.10:88 [16119] 1503409696.836098: Received answer (1551 bytes) from stream 10.10.10.10:88 [16119] 1503409696.836121: Terminating TCP connection to stream 10.10.10.10:88 [16119] 1503409696.836212: Response was from master KDC [16119] 1503409696.836258: Decoding FAST response [16119] 1503409696.836423: TGS reply is for testu...@domain.com -> krbtgt/ipa.domain....@domain.com with session key aes256-cts/C0B1 [16119] 1503409696.836454: TGS request result: 0/Success [16119] 1503409696.836461: Received TGT for offpath realm ipa.domain.com [16119] 1503409696.836468: Requesting TGT krbtgt/ipa.domain....@ipa.domain.com using TGT krbtgt/ipa.domain....@domain.com [16119] 1503409696.836486: Generated subkey for TGS request: aes256-cts/743D [16119] 1503409696.836523: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts, des-cbc-crc, des, des-cbc-md4 [16119] 1503409696.836579: Encoding request body and padata into FAST request [16119] 1503409696.836648: Sending request (1854 bytes) to ipa.domain.com [16119] 1503409696.904352: Resolving hostname idm1.ipa.domain.com. [16119] 1503409696.938147: Sending initial UDP request to dgram 10.10.10.11:88 [16119] 1503409696.943465: Received answer (146 bytes) from dgram 10.10.10.11:88 [16119] 1503409696.977047: Response was from master KDC [16119] 1503409696.977102: TGS request result: -1765328353/Decrypt integrity check failed kvno: Decrypt integrity check failed while getting credentials for host/idm1.ipa.domain....@ipa.domain.com Can you please advise me on how to resolve this issue? Bart _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org