On Tue, 2016-05-17 at 17:10 +0300, Alexander Bokovoy wrote:
> On Tue, 17 May 2016, lejeczek wrote:
> > hi users/devs
> > 
> > I've used wiki pages to set AD - IPA trust, and it always end up
> > being
> > realm type of trust (@ AC DC end) whereas wiki shows forest type.
> > What am I doing wrong?
> Probably because you are choosing wrong type of trust on AD side.
> 
> Remove any trust with the same name as IPA on AD side and try to
> create
> the trust using 'ipa trust-add' command, as described in the wiki or
> in
> the documentation.
> 
but ipa trust-add renders one-way type of trust, at least here for me,
is this correct?
I go to AD DC and see only one-way trust.
> > 
> > I think I must be doing something wrong for having that trust
> > established (or I least I think I have it) when @IPA end I do:
> > 
> > $ kinit Administrator@ad_dom
> > Password for Administrator@ad_dom: 
> > kinit: KDC reply did not match expectations while getting initial
> > credentials
> > 

> 
> This is unrelated. In Kerberos realm is supposed to be in UPPER CASE. If
> you specified it in lower case, AD DC would accept that and would issue
> a ticket with corrected principal name but 'kinit' utility would not
> accept the changed principal.
> 
> kinit Administrator@AD_DOM is what would you need to try. However, being
> able to kinit as AD user from IPA machine has nothing to do with IPA -
> AD trust.
> 
> 
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to