On Fri, 19 Apr 2013, Natxo Asenjo wrote:

some progress. I disabled the firewall of the linux host (also the kdc,
incidentally). From the Windows host using the AD Domain and Trusts tool I
can verify the trust and using putty I can login and get the linux kerberos
tickets as a windows realm user.

If i enable the firewall and I do not block the ldap/ldaps port (the
windows host is also the domain controller, yeah, I know, this is a home
test lab on very modest virtual hardware), then I can login using putty
with sso too, but I cannot verify the trust using the AD Domain and Trusts

So is this expected behaviour?
Yes, because you also need to keep right ports open.

Verification of trust is done via SMB protocol (actually, netlogon
pipe), so you need to get SMB ports open -- 135/tcp, 139/tcp, 445/tcp
and some ports starting from 1024/tcp for end-point mapper.

/ Alexander Bokovoy

Freeipa-users mailing list

Reply via email to