On Fri, 16 Sep 2016, Brook, Andy [CRI] wrote:
   You can replace actual hostnames/realm names/IP addresses by something more 
   in the output when sending to the list, but please do it consistently.

I’m sorry. I thought I had been consistent when making changes, but
from your response, it looks like I wasn’t. I’m sorry about that. I got
yelled at by our security team last time we sent logs to a public list
that had any type of identifiable information in them, so it’s sort of
a new process for me. I think I have it down now.

The results of the commands are here: http://pastebin.com/PRwr7wv6
So IPA side works fine -- on IPA client you can kinit as AD user and
then obtain cross-realm TGT to IPA realm and use that cross-realm TGT to
request a service ticket to cifs/... service. That's good.

You need to identify what happens on AD side. A possible issue is that
name suffix routing to IPA domain is disabled.

Can you provide output of netdom.exe run on Windows side:

 netdom trust addom.domain /namesuffixes: ipa.domain

You should get something like example 28 on the page

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to