On Mon, Sep 26, 2016 at 01:11:49PM +0200, Troels Hansen wrote:
> 
> 
> ----- On Sep 26, 2016, at 10:18 AM, Sumit Bose sb...@redhat.com wrote:
> 
> > 
> > Have you checked the firewalls? AD clients must be able to talk to the
> > KDC port (88 udp and tcp) on the IPA servers to get service tickets for
> > IPA hosts.
> > 
> 
> 
> KDC ports seems to work....  Besides, I don't have a TGT for the IPA (LX) 
> domain, untill I try to SSH to it. I guess I shouldn't be able to if KDC 
> traffic was blocked?

The cross-realm TGT 'krbtgt/LX.DR.DK @ PLACE.DR.DK' is issued by the AD
DC. So this is not indication that the IPA KDC can be reached by the AD
client.

Do you see and log messages in the krb5kdc.log on the IPA server? If it
is not the firewall I would suggest to record the IP traffic of the AD
client and check what it tries to do after the AD DC send the
cross-realm TGT.

About the DNS SRV records, did you add matching records for _udp as
well? I'm not sure if the AD client will fallback to _tcp if they are
missing or just stop?

HTH

bye,
Sumit

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to