On Fri, Apr 19, 2013 at 12:37:30PM +0200, Natxo Asenjo wrote:
> I modified /etc/sysconfig/network
> HOSTNAME=kdc.ipa.asenjo.nx
> 
> rebooted the host. Re-ran
> 
> # smbclient -L kdc.ipa.asenjo.nx -klp_load_ex: changing to config backend
> registry
> Domain=[IPA] OS=[Unix] Server=[Samba 4.0.0rc4]
> 
>     Sharename       Type      Comment
>     ---------       ----      -------
>     IPC$            IPC       IPC Service (Samba 4.0.0rc4)
> Domain=[IPA] OS=[Unix] Server=[Samba 4.0.0rc4]
> 
> Tha was ok.
> 
> re-ran:
> 
> # ipa trust-add --type=ad ad.asenjo.nx --admin Administrator --password
> Active directory domain administrator's password:
> -----------------------------------------------------
> Added Active Directory trust for realm "ad.asenjo.nx"
> -----------------------------------------------------
>   Realm name: ad.asenjo.nx
>   Domain NetBIOS name: AD
>   Domain Security Identifier: S-1-5-21-2508008360-1834726910-79835928
>   Trust direction: Two-way trust
>   Trust type: Active Directory domain
>   Trust status: Established and verified
> 
> And it is working :-)
> 
> Awesome.

Great.

Please note that having hostname to return a fully qualified host name
is not a new requirement coming with the trust feature. It was always
recommended because also other services like sshd, httpd, sssd might
have problems finding the right Kerberos keys from their keytabs.

bye,
Sumit
> 
> Thanks!
> 
> -- 
> groet,
> natxo
> 
> 
> --
> Groeten,
> natxo
> 
> 
> On Fri, Apr 19, 2013 at 12:11 PM, Sumit Bose <sb...@redhat.com> wrote:
> 
> > On Fri, Apr 19, 2013 at 11:45:47AM +0200, Natxo Asenjo wrote:
> > > I saw there is a log in /var/log/samba/log.wb-IPA
> > >
> > > The log complains about missing keys for the spn for the hostname (not
> > the
> > > fqdn, just the hostname):
> > >
> > >  Connection to LDAP server failed for the 15 try!
> > > [2013/04/19 11:39:22.352522,  0] ipa_sam.c:3689(bind_callback_cleanup)
> > >   kerberos error: code=-1765328203, message=Keytab contains no suitable
> > > keys for cifs/k...@ipa.asenjo.nx
> >
> > Can you check if
> >
> > $ hostname
> >
> > returns the fully qualified hostname, if not, please fix this, call
> > ipactl stop and ipactl start and try again.
> >
> > bye,
> > Sumit
> >
> > >
> > >
> > > --
> > > Groeten,
> > > natxo
> >

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to