On Tue, 17 May 2016, John Meyers wrote:
I have established a 2-way forest trust between FreeIPA (4.2.4-1.fc23)
and AD (Windows 2012R2). The IPA side works perfect and AD users can
authenticate against IPA resources. However, when one tries to add an
IPA user or group to a Windows permission set (e.g. an NTFS ACL or user
right), Windows successfully obtains a Kerberos ticket for the IPA user
but then fails when trying to obtain the LDAP principal of the IPA
server. KDC logs follows:
The other leg is not supported.
Read http://www.freeipa.org/page/V4/One-way_trust#Design for details.
/ Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project