On Fri, 12 Sep 2014, Traiano Welcome wrote:
Hi Alexander

On Thu, Sep 11, 2014 at 8:16 PM, Alexander Bokovoy <aboko...@redhat.com>

On Thu, 11 Sep 2014, Traiano Welcome wrote:

This one is not usable. You need to enable debugging on the server side.
See http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#
in the part where it talks about /usr/share/ipa/smb.conf.empty.

I've attached the debug logs, I'd be thankful if you could find anything
in them!

Can you please keep debugging and re-establish the trust using AD

I can see that AD DC does believe yet the trust is working:
Ticket in credentials cache for @LINUX will expire in 86400 secs
GSS client Update(krb5)(1) Update failed: Unspecified GSS failure.
Minor code may provide more information: KDC policy rejects request

"KDC policy rejects request" means AD-side of the trust is not set and

By running 'ipa trust-add ... --admin ..' you'll force AD DC to reset trust
and verify it.

Just to confirm: The guide says that Windows 2008 R2 should be used as an
AD DC, and provides a link to a setup process for Windows 2008 R2.  However
later on in the doc there is animated gif of Windows 2012 ... Does this

Will different setups based on Win2K8 or Win2K12 DC affect the installation
process in any way on the IdM side?
I have both Windows Server 2008 (actually, 2008 and 2008R2) and Windows
Server 2012 working in my lab. Both have trusts established to FreeIPA
domain and work fine.
/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to