Hi Lukas, such a realm does not exists, but it is my user principal name in AD, due to legacy compatibility with Exchange.
Best regards, Fabian -----Ursprüngliche Nachricht----- Von: Lukas Slebodnik [mailto:lsleb...@redhat.com] Gesendet: Montag, 18. Januar 2016 18:03 An: Zoske, Fabian Cc: freeipa-users@redhat.com Betreff: Re: [Freeipa-users] Cross Domain Trust On (12/01/16 11:11), Lukas Slebodnik wrote: >On (12/01/16 08:25), Zoske, Fabian wrote: >>We recently upgraded our IPA-Server from CentOS 7.1 to CentOS 7.2. So far no >>differences. >> >Then please provide sssd logfiles (1.13.3) from client and also log >files from sssd on freeipa server (sssd on freeipa server is used >indirectly by extop plugin in 389-ds) > >Please provide log files from the same time when you reproduced an issue. > Thank you very much for log files. Authentication on client failed Due to following error: (Thu Jan 14 12:58:36 2016) [[sssd[krb5_child[992]]]] [sss_child_krb5_trace_cb] (0x4000): [992] 1452772716.736098: Sending request (173 bytes) to EUROIMMUN.TEST (master) (Thu Jan 14 12:58:37 2016) [[sssd[krb5_child[992]]]] [get_and_save_tgt] (0x0020): 1232: [-1765328230][Cannot find KDC for realm "EUROIMMUN.TEST"] (Thu Jan 14 12:58:37 2016) [[sssd[krb5_child[992]]]] [map_krb5_error] (0x0020): 1301: [-1765328230][Cannot find KDC for realm "EUROIMMUN.TEST"] (Thu Jan 14 12:58:37 2016) [[sssd[krb5_child[992]]]] [k5c_send_data] (0x0200): Received error code 1432158209 (Thu Jan 14 12:58:37 2016) [[sssd[krb5_child[992]]]] [pack_response_packet] (0x2000): response packet size: [4] (Thu Jan 14 12:58:37 2016) [[sssd[krb5_child[992]]]] [k5c_send_data] (0x4000): Response sent. (Thu Jan 14 12:58:37 2016) [[sssd[krb5_child[992]]]] [main] (0x0400): krb5_child completed successfully Do you have defineded the realm "EUROIMMUN.TEST" in your krb5.conf? It is possible that sssd wrote snippet to the directory /var/lib/sss/pubconf/krb5.include.d/ but this directory is not included in krb5.conf. $ grep includedir /etc/krb5.conf includedir /var/lib/sss/pubconf/krb5.include.d/ BTW you can test the same operation as sssd did from command line. KRB5_TRACE=/dev/stderr kinit f.zo...@euroimmun.test or is this principal name an enterprise name? LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project