----- On Sep 7, 2016, at 10:31 AM, Sumit Bose sb...@redhat.com wrote:

> So I guess there is no cross-realm ticket either, i.e.
> krbtgt/IPA.DOMAIN@AD.DOMAIN. Can you check on AD if the IPA DNS domain
> is listed in the 'Name Suffix Routing' tab in the trust properties of
> the IPA domain? Additionally please check if the DNS SRV records like
> e.g. _kerberos._udp.ipa.domain can be resolved on the AD side.

No, no cross realm tickets on Windows client. Its a one-way trust if that makes 
a difference?
DNS is working. DNS config is only done on AD side, so IPA dns config is done 
there and Linux clients is configured to use AD as DNS.

Alexander just wrote that if we had used shared secret to create the trust the 
routing is missing and can't be fetched afterwards.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to