On Wed, Sep 28, 2016 at 11:30:56AM +0200, Troels Hansen wrote:
> 
> > Yes, this makes sense as well. If you are not in the forest root you
> > first need a cross-realm TGT for your domain and the forest root. Then
> > you need a cross-realm TGT for the forest root and the IPA domain.
> > 
> > As a next step you should see a request to the IPA KDC to get the actual
> > service ticket for the host in the IPA domain.
> 
> Yes, this is the traffic that's never seen in the capture.
> It seems Windows(Putty) never asks for at host ticket for the IPA host. I 
> receive the krbtgt for the IPA domain, but never sees any traffic from the 
> Windows client to IPA, and thus, never receives the host ticket on the 
> Windows client.

Please check the other traffic on the client after receiving the
cross-realm ticket for the IPA domain. Since the client get the name to
the IPA realm from the AD DC in the last response I would expect that it
will try some DNS SRV lookups to find a KDC in the IPA realm.

HTH

bye,
Sumit

> 
> I'm not at all sure how Kerberos works in Putty, but it seems it uses its own 
> Kerberos libraryes and that these fail.
> 
> I Linux not joined to IPA, just installed with kerberos and use dns config in 
> krb5.conf can kinit in the NET domain, and ssh to IPA using kerberos just 
> fine, so it seems the problem just relates to putty.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to