On Wed, 05 Feb 2014, Alexander Bokovoy wrote:
On Wed, 05 Feb 2014, Steve Dainard wrote:
After the initial setup of a trust I'm attempting to get kerberos tickets
against the AD domain.

Step 12 in this document:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-diff-dns-domains.htmlsays:

Then, request service tickets for services within the Active Directory
domain.
[root@ipaserver ]# kvno cifs/adserver.adexample.com@AD.DOMAIN
If the Active Directory service ticket is succcessfully granted, then there
will be a cross-realm TGT listed with all of the other requested tickets.
This will have the name krbtgt/AD.DOMAIN@IPA.DOMAIN.

I get an error back:
# kvno cifs/dc1.miovision.c...@miovision.corp
kvno: Server not found in Kerberos database while getting credentials for
cifs/dc1.miovision.c...@miovision.corp
Can you try 'KRB5_TRACE=/dev/stderr kvno -S cifs dc1.miovision.corp'?

Ideally, I'd like to see your /etc/krb5.conf, it should have mapping
between AD DNS domain and AD realm so that IPA KDC will be able to route
the ticket request properly to the AD DC. Without that it may assume
miovision.corp belongs to the IPA realm.
Actually, that mapping should be generated by sssd in
/var/lib/sss/pubconf/krb5.include.d/domain_realm_miolinux_corp

--
/ Alexander Bokovoy

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to