On Fri, Feb 06, 2015 at 10:16:37AM +0200, Alexander Bokovoy wrote: > On Thu, 05 Feb 2015, Nicolas Zin wrote: > >Hi, > > > >is it possible to create a one way AD trust relationship with FreeIPA/IDM > >3.3? > No. > > >- From Windows I created an incoming one-way trust relationship, with a > >trust-secret > >- on Linux I use the trust-secret with ipa: ipa trust-add --type=ad > >ipawindows.mtl.sfl --trust-secret > > > >everything seems to be fine, but when I try > >kinit [email protected] > >kinit: KDC reply did not match expectations while getting initial credentials
Nevertheless the error you see is not related to trust in the first place. kinit on Linux clients expects a Kerberos principal as argument which in general is case sensitive. I would expect that either kinit -C [email protected] or kinit [email protected] will work for you. But please note that this is not an indication that the trust is working in general. For this you should try to get a Kerberos service ticket for a service from your IPA domain e.g. with kvno. bye, Sumit > > > >I tried others ways, but I wonder if it is possible to have a one-way trust > >relationship? > One-way trust is not supported yet. I'm in the process of writing a > set of design documents and opening tickets for various missing parts. > We hope to get it done within the scope of FreeIPA 4.2. > > -- > / Alexander Bokovoy > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
