Hi all,

I am facing a problem I got stuck upon.


We have the following setup:

                       +-----------+            
                       |           |            
                       |    AD     |            
                       |           |            
                       +-----------+            
+--------------+          ^                     
|              +----------+                     
|    ums012    |                                
|              |                                
|     IPA      |                                
+--------------+                                
       ^                                        
       |                        +--------------+
       |                        |              |
       |                        |    ums029    |
       |                        |              |
       |                        |   smbclient  |
       |                        +---+----------+
+------+--------+                   |           
|               |                   |           
|    ums025     |                   |           
|               |<------------------+           
|    samba      |                               
+---------------+                               

IPA has a trust established with AD which is working fine. Active Directory 
users can logon on Linux machines which are connected to IPA, `id some-ad-user` 
properly shows the AD groups.

ums012 and ums025 are running RHEL 9.3, ums029 is running RHEL 8.9.

ums029 is used as a test client via smbclient.


ums025 was setup following the instructions in 
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/using_external_red_hat_utilities_with_identity_management/setting-up-samba-on-an-idm-domain-member_using-external-red-hat-utilities-with-idm
 

Setup worked fine, all steps went ok. 

But when i switch over to ums029 and try to verify with an ad user I get


kinit <ad user>
smbclient -L ums025.idm.example.com -U <ad user> --use-kerberos=required
Password for [<ad user>@EXAMPLE.COM]:
gensec_spnego_client_negTokenInit_step: gse_krb5: creating NEG_TOKEN_INIT for 
cifs/ums025.idm.example.com failed (next[(null)]): NT_STATUS_INVALID_PARAMETER
session setup failed: NT_STATUS_INVALID_PARAMETER


whereas this is working fine when running the verification as IPA user.


I tried finding hints in the logs but was unsuccessful, thus I’m writing to the 
list.


Best regards,

Thomas



--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to