On Fri, 16 Sep 2016, Brook, Andy [CRI] wrote:
You can replace actual hostnames/realm names/IP addresses by something more
generic
in the output when sending to the list, but please do it consistently.
I’m sorry. I thought I had been consistent when making changes, but
from your response, it looks like I wasn’t. I’m sorry about that. I got
yelled at by our security team last time we sent logs to a public list
that had any type of identifiable information in them, so it’s sort of
a new process for me. I think I have it down now.
The results of the commands are here: http://pastebin.com/PRwr7wv6
So IPA side works fine -- on IPA client you can kinit as AD user and
then obtain cross-realm TGT to IPA realm and use that cross-realm TGT to
request a service ticket to cifs/... service. That's good.
You need to identify what happens on AD side. A possible issue is that
name suffix routing to IPA domain is disabled.
Can you provide output of netdom.exe run on Windows side:
netdom trust addom.domain /namesuffixes: ipa.domain
You should get something like example 28 on the page
https://msdn.microsoft.com/en-us/library/cc776879(v=ws.10).aspx
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
