On Wed, Jan 03, 2018 at 07:56:57PM +0700, Николай Савельев via FreeIPA-users 
wrote:
> I have ipa domain with AD trust. id ad_users@ad_domain works. su 
> ad_users@ad_domain works.
> kinit ad_users@ad_domain don't works in ubuntu but works in centos 7
> What?
> /etc/krb5.conf is the same.
> ipa servers work on centos 7. Ipa client work on ubuntu 14.04 or 16.04.
> I also can't get access from AD member windos to SAMBA shares on IPA members 
> linux,
> 
> What can i do?
> 
> 
> 
> 
> 
> Oh, I forgot to say about error!
> For kinit AD user i get:
> kinit: KDC reply did not match expectations while getting initial credentials

Then using 'kinit -C ...' or 'canonicalize= true' in krb5.conf should
help.

bye,
Sumit

> 
> My krb5.conf:
> 
> 
> includedir /var/lib/sss/pubconf/krb5.include.d/
> 
> [libdefaults]
>   default_realm = FS.LAN
>   dns_lookup_realm = true
>   dns_lookup_kdc = true
>   rdns = false
>   ticket_lifetime = 24h
>   dns_canonicalize_hostname = false
>   forwardable = true
>   udp_preference_limit = 0
>   default_ccache_name = KEYRING:persistent:%{uid}
> 
> 
> [realms]
>   FS.LAN = {
>     pkinit_anchors = FILE:/etc/ipa/ca.crt
> 
>   }
> 
> 
> [domain_realm]
>   .fs.lan = FS.LAN
>   fs.lan = FS.LAN
> 
> -- 
> С уважением, Николай.
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to