On Fri, Feb 06, 2015 at 10:16:37AM +0200, Alexander Bokovoy wrote:
> On Thu, 05 Feb 2015, Nicolas Zin wrote:
> >Hi,
> >
> >is it possible to create a one way AD trust relationship with FreeIPA/IDM 
> >3.3?
> No.
> 
> >- From Windows I created an incoming one-way trust relationship, with a 
> >trust-secret
> >- on Linux I use the trust-secret with ipa: ipa trust-add --type=ad 
> >ipawindows.mtl.sfl --trust-secret
> >
> >everything seems to be fine, but when I try
> >kinit administra...@ipawindows.mtl.sfl
> >kinit: KDC reply did not match expectations while getting initial credentials

Nevertheless the error you see is not related to trust in the first
place. kinit on Linux clients expects a Kerberos principal as argument
which in general is case sensitive. I would expect that either

kinit -C administra...@ipawindows.mtl.sfl

or

kinit administra...@ipawindows.mtl.sfl

will work for you. But please note that this is not an indication that
the trust is working in general. For this you should try to get a
Kerberos service ticket for a service from your IPA domain e.g. with
kvno.

bye,
Sumit

> >
> >I tried others ways, but I wonder if it is possible to have a one-way trust 
> >relationship?
> One-way trust is not supported yet. I'm in the process of writing a
> set of design documents and opening tickets for various missing parts.
> We hope to get it done within the scope of FreeIPA 4.2.
> 
> -- 
> / Alexander Bokovoy
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to