On Wed, 05 Feb 2014, Steve Dainard wrote:
After the initial setup of a trust I'm attempting to get kerberos tickets
against the AD domain.

Step 12 in this document:

Then, request service tickets for services within the Active Directory
[root@ipaserver ]# kvno cifs/adserver.adexample.com@AD.DOMAIN
If the Active Directory service ticket is succcessfully granted, then there
will be a cross-realm TGT listed with all of the other requested tickets.
This will have the name krbtgt/AD.DOMAIN@IPA.DOMAIN.

I get an error back:
# kvno cifs/dc1.miovision.c...@miovision.corp
kvno: Server not found in Kerberos database while getting credentials for
Can you try 'KRB5_TRACE=/dev/stderr kvno -S cifs dc1.miovision.corp'?

Ideally, I'd like to see your /etc/krb5.conf, it should have mapping
between AD DNS domain and AD realm so that IPA KDC will be able to route
the ticket request properly to the AD DC. Without that it may assume
miovision.corp belongs to the IPA realm.

But I do have a krbtgt ticket/AD domain:

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: sdainard-r...@miolinux.corp

Valid starting     Expires            Service principal
02/05/14 14:21:06  02/06/14 14:21:06  krbtgt/miolinux.c...@miolinux.corp
02/05/14 14:21:17  02/06/14 14:21:06  host/ipa1.miolinux.c...@miolinux.corp
02/05/14 14:21:20  02/06/14 14:21:06  krbtgt/miovision.c...@miolinux.corp

Also, is it normal to not find the Linux realm listed in the domain trust
list on the AD DC?
It should be listed there. If it is not listed, it means no real trust
is established on the AD side.

/ Alexander Bokovoy

Freeipa-users mailing list

Reply via email to