On Wed, Jul 11, 2018 at 08:30:16PM -0000, Mike Conner via FreeIPA-users wrote: > So you're saying the client is probably not finding the AD KDC through DNS > SRV calls?
Not necessarily not finding, but perhaps the AD KDCs the client discovers are slow to respond? What exactly were the changes to krb5.conf that helped you? btw previously in the log snippet you sent, the AD domain was already marked as Inactive, so I was mostly guessing as per what caused the AD domain to flip to the Inactive state in the first place -- although on the client, an authentication timeout is the most likely issue. > I think that I've tested all the DNS configs that are called for in the > documentation. What could I do to test whether the AD realm's KDC is being > discovered? > > Here's what I've tried to see if the dns is correctly configured: > [root@freeipaclient ~]# dig +short -t SRV > _kerberos._tcp.dc._msdcs.cs.domain.dom > 0 100 88 ipa.cs.domain.dom. > [root@freeipaclient ~]# dig +short -t SRV _kerberos._tcp.dc._msdcs.domain.dom > 0 100 88 kdc1.domain.dom. > 0 100 88 kdc2.domain.dom. > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/AW2TLNXLWYGEESKU22FSBOM3Q6BP3U47/ _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/SQ72NB5525CWEHAY5HQMKXXASPYGSAL7/
