On Tue, Mar 31, 2015 at 10:02:37AM -0400, Gould, Joshua wrote: > Klist in Windows showed one ticket for the IPA domain. > > #0> Client: adm-faru03 @ test.osuwmc > Server: krbtgt/UNIX.TEST.OSUWMC @ TEST.OSUWMC > KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 > Ticket Flags 0x40a40000 -> forward able renewable pre_authent > ok_as_delegate > Start Time: 3/31/2015: 9:29:25 (local) > End Time: 3/31/2015: 15:28:22 (local) > Session Key Type: AES-256-CTS-HMAC-SHA1-96
The means that you do not have a ticket for the IPA client. Please make sure you use 'mid-ipa-vp01.unix.test.osuwmc' as hostname with putty. Since the AD DC gave you the cross-realm TGT (the ticket you've shown above) I would expect that you Windows client has issues resolving a KDC in the IPA domain. Please check on the Windows client with the nslookup utility you DNS SRV records like _kerberos._tcp.dc._msdcs.unix.test.osuwmc and _kerberos._tcp.unix.test.osuwmc can be resolved. > > IPA and SSSD are: > ipa-server.x86_64 > 4.1.0-18.el7_1.3 > sssd.x86_64 > 1.12.2-58.el7_1.6.1 > > Kinit [email protected] was telling. Once it reported ³kinit: KDC > reply did not match expectations while getting initial credentials². We > waited a minute or two (were discussing results) and tried again just > adding the -V flag and it worked. > > Kvno host/[email protected] = 2 > > Verbose logging in putty gave the following error: > Which errors do you see when using ssh in the IPA client after calling kinit? Or is it working in this case? bye, Sumit > > On 3/31/15, 3:30 AM, "Sumit Bose" <[email protected]> wrote: > > > > >Can you do the follwoing checks: > > > >Can you check by calling klist in a Windows Command window if you got > > > > > >a proper host/... ticket for the IPA host? > > > > > > > > > > > >What version of IPA and SSSD are you using. > > > > > > > > > > > >Can you check if the following works on a IPA host: > > > > > > > > > > > >kinit [email protected] > > > > > >kvno host/[email protected] > > > > > >ssh -v -l [email protected] name.of.the.ipa-client.to.login > > > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
