On Wed, Sep 07, 2016 at 09:55:45AM +0200, Troels Hansen wrote:
> 
> 
> ----- On Sep 7, 2016, at 9:43 AM, Sumit Bose sb...@redhat.com wrote:
> 
> > Additionally please check the klist output on the Windows client. It
> > should show the host principal of the Linux client
> > (host/client.ipa.domain@IPA.DOMAIN). If the principal is there the sshd
> > logs on the Linux client with a high debug level might also have some
> > hints why GSSAPI authentication failed.
> > 
> 
> 
> Hmm, no host tickets. Only krbtgt for the domain and LDAP and CIFS principal 
> for thc DC's

So I guess there is no cross-realm ticket either, i.e.
krbtgt/IPA.DOMAIN@AD.DOMAIN. Can you check on AD if the IPA DNS domain
is listed in the 'Name Suffix Routing' tab in the trust properties of
the IPA domain? Additionally please check if the DNS SRV records like
e.g. _kerberos._udp.ipa.domain can be resolved on the AD side.

HTH

bye,
Sumit

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to