Hi all, I am facing a problem I got stuck upon.
We have the following setup: +-----------+ | | | AD | | | +-----------+ +--------------+ ^ | +----------+ | ums012 | | | | IPA | +--------------+ ^ | +--------------+ | | | | | ums029 | | | | | | smbclient | | +---+----------+ +------+--------+ | | | | | ums025 | | | |<------------------+ | samba | +---------------+ IPA has a trust established with AD which is working fine. Active Directory users can logon on Linux machines which are connected to IPA, `id some-ad-user` properly shows the AD groups. ums012 and ums025 are running RHEL 9.3, ums029 is running RHEL 8.9. ums029 is used as a test client via smbclient. ums025 was setup following the instructions in https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/using_external_red_hat_utilities_with_identity_management/setting-up-samba-on-an-idm-domain-member_using-external-red-hat-utilities-with-idm Setup worked fine, all steps went ok. But when i switch over to ums029 and try to verify with an ad user I get kinit <ad user> smbclient -L ums025.idm.example.com -U <ad user> --use-kerberos=required Password for [<ad user>@EXAMPLE.COM]: gensec_spnego_client_negTokenInit_step: gse_krb5: creating NEG_TOKEN_INIT for cifs/ums025.idm.example.com failed (next[(null)]): NT_STATUS_INVALID_PARAMETER session setup failed: NT_STATUS_INVALID_PARAMETER whereas this is working fine when running the verification as IPA user. I tried finding hints in the logs but was unsuccessful, thus I’m writing to the list. Best regards, Thomas -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
