> Yes, this makes sense as well. If you are not in the forest root you > first need a cross-realm TGT for your domain and the forest root. Then > you need a cross-realm TGT for the forest root and the IPA domain. > > As a next step you should see a request to the IPA KDC to get the actual > service ticket for the host in the IPA domain.
Yes, this is the traffic that's never seen in the capture. It seems Windows(Putty) never asks for at host ticket for the IPA host. I receive the krbtgt for the IPA domain, but never sees any traffic from the Windows client to IPA, and thus, never receives the host ticket on the Windows client. I'm not at all sure how Kerberos works in Putty, but it seems it uses its own Kerberos libraryes and that these fail. I Linux not joined to IPA, just installed with kerberos and use dns config in krb5.conf can kinit in the NET domain, and ssh to IPA using kerberos just fine, so it seems the problem just relates to putty. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project