On ma, 28 marras 2016, Troels Hansen wrote:
Hi all
Just wanted to follow up on my recent findings in regards to IPA - AD
trust and kerberos delegations, sa we gave up on this, and just lived
with it not working.
In the end we ended up discovering that for kerberos trust delegation
to work
Hi all
Just wanted to follow up on my recent findings in regards to IPA - AD trust and
kerberos delegations, sa we gave up on this, and just lived with it not working.
In the end we ended up discovering that for kerberos trust delegation to work
ldap/udp ingoing HAVE to be open on the IPA
On Wed, Sep 28, 2016 at 11:30:56AM +0200, Troels Hansen wrote:
>
> > Yes, this makes sense as well. If you are not in the forest root you
> > first need a cross-realm TGT for your domain and the forest root. Then
> > you need a cross-realm TGT for the forest root and the IPA domain.
> >
> > As a
> Yes, this makes sense as well. If you are not in the forest root you
> first need a cross-realm TGT for your domain and the forest root. Then
> you need a cross-realm TGT for the forest root and the IPA domain.
>
> As a next step you should see a request to the IPA KDC to get the actual
>
On Wed, Sep 28, 2016 at 10:33:43AM +0200, Troels Hansen wrote:
>
>
> - On Sep 28, 2016, at 10:06 AM, Sumit Bose sb...@redhat.com wrote:
> > KRB5KRB_ERR-RESPONSE_TOO_BIG is an expected return code here. The
> > Kerberos communication is typically started via UDP. But the PAC data in
> > the
- On Sep 28, 2016, at 10:06 AM, Sumit Bose sb...@redhat.com wrote:
> KRB5KRB_ERR-RESPONSE_TOO_BIG is an expected return code here. The
> Kerberos communication is typically started via UDP. But the PAC data in
> the ticket is typically larger than a single UPD packet. The KDC tells
> the
On Wed, Sep 28, 2016 at 09:19:37AM +0200, Troels Hansen wrote:
>
>
> - On Sep 26, 2016, at 1:30 PM, Sumit Bose sb...@redhat.com wrote:
>
> > About the DNS SRV records, did you add matching records for _udp as
> > well? I'm not sure if the AD client will fallback to _tcp if they are
> >
- On Sep 26, 2016, at 1:30 PM, Sumit Bose sb...@redhat.com wrote:
> About the DNS SRV records, did you add matching records for _udp as
> well? I'm not sure if the AD client will fallback to _tcp if they are
> missing or just stop?
>
Ok, finally got some time to debug this.
tcpdump'ing
- On Sep 26, 2016, at 1:30 PM, Sumit Bose sb...@redhat.com wrote:
>
> Do you see and log messages in the krb5kdc.log on the IPA server? If it
> is not the firewall I would suggest to record the IP traffic of the AD
> client and check what it tries to do after the AD DC send the
>
On Mon, Sep 26, 2016 at 01:11:49PM +0200, Troels Hansen wrote:
>
>
> - On Sep 26, 2016, at 10:18 AM, Sumit Bose sb...@redhat.com wrote:
>
> >
> > Have you checked the firewalls? AD clients must be able to talk to the
> > KDC port (88 udp and tcp) on the IPA servers to get service tickets
On ma, 26 syys 2016, Troels Hansen wrote:
- On Sep 26, 2016, at 10:18 AM, Sumit Bose sb...@redhat.com wrote:
Have you checked the firewalls? AD clients must be able to talk to the
KDC port (88 udp and tcp) on the IPA servers to get service tickets for
IPA hosts.
KDC ports seems to
On Mon, Sep 26, 2016 at 09:25:46AM +0200, Troels Hansen wrote:
> After we installed a new set of IPA servers for prod, and joined AD using
> username and password to have AD create a correct suffix routing everythin
> seems to work, and the suffix routing is created correctly on AD.
>
>
12 matches
Mail list logo
