On Wed, Aug 30, 2017 at 10:45:11AM -0000, bogusmaster--- via FreeIPA-users wrote: > Behavior that I described above pertains to Windows 2008 R2. When I attempt > at doing exactly the same with AD set up on top of Windows 2012, it works > flawlessly. Unfortunately, environment I have to set up trust with uses > Windows 2008 R2. I am wondering what might be the difference between these > two versions that prevent trust from working in case of Windows 2008 R2.
Can you send the KRB5_TRACE output for the 2012 case as well. What looks suspicious to me in the 2008R2 output is TGS reply is for testu...@domain.com -> krbtgt/ipa.domain....@domain.com with session key aes256-cts/C0B1 I would expect krbtgt/ipa.domain....@domain.com here. AD typically does not care about cases in Kerberos principal but IPA's MIT Kerberos KDC does (because the RFC says Kerberos is case-sensitive). bye, Sumit > _______________________________________________ > FreeIPA-users mailing list -- firstname.lastname@example.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- email@example.com To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org