On Wed, Aug 30, 2017 at 10:45:11AM -0000, bogusmaster--- via FreeIPA-users
wrote:
> Behavior that I described above pertains to Windows 2008 R2. When I attempt
> at doing exactly the same with AD set up on top of Windows 2012, it works
> flawlessly. Unfortunately, environment I have to set up trust with uses
> Windows 2008 R2. I am wondering what might be the difference between these
> two versions that prevent trust from working in case of Windows 2008 R2.
Can you send the KRB5_TRACE output for the 2012 case as well. What looks
suspicious to me in the 2008R2 output is
TGS reply is for testu...@domain.com -> krbtgt/ipa.domain....@domain.com
with session key aes256-cts/C0B1
I would expect krbtgt/ipa.domain....@domain.com here. AD typically does
not care about cases in Kerberos principal but IPA's MIT Kerberos KDC
does (because the RFC says Kerberos is case-sensitive).
bye,
Sumit
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
