Hi, I'm trying to setup freeipa as replacment for our old NIS infrastructure.
The setup looks like this: AD domain = domain.com IPA domain = ipa.domain.com IPA server = freeipa.domain.com Client = ubuntu-test.domain.com I've installed the freeipa server and AD trust. Everything is working on the freeipa server (login of IPA users, login of AD users). On the clients (tested 2 different clients, both ubuntu 22.04) neither login of IPA users or AD users works. From the client logs: (2024-08-14 08:55:52): [be[ipa.domain.com]] [sasl_bind_send] (0x0100): [RID#13] Executing sasl bind mech: GSSAPI, user: host/ubuntu-test.domain.com (2024-08-14 08:55:52): [be[ipa.domain.com]] [sasl_bind_send] (0x0020): [RID#13] ldap_sasl_interactive_bind_s failed (-2)[Local error] (2024-08-14 08:55:52): [be[ipa.domain.com]] [sasl_bind_send] (0x0080): [RID#13] Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server krbtgt/[email protected] not found in Kerberos database)] (2024-08-14 08:55:52): [be[ipa.domain.com]] [sdap_cli_connect_recv] (0x0040): [RID#13] Unable to establish connection [1432158227]: Authentication Failed From the freeipa krb5kdc logs: Aug 14 08:55:52 freeipa.domain.com krb5kdc[1238](info): TGS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), UNSUPPORTED:des3-hmac-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.42.0.167: UNKNOWN_SERVER: authtime 0, host/[email protected] for krbtgt/[email protected], Server not found in Kerberos database Both use the same NTP server. DNS is working fine (SRV and TXT entries are there and resolvable from the server and the client). I've read the documentation about installation, troubleshooting and AD trust on the freeipa page and also at RedHat Idm. Do you have any ideas how I can further troubleshoot and fix this? I'm out of ideas. -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
