I tried the GPO and that actually worked, thanks Robert. I had to specify
all the subdomains we use as well in the value field (we have IPA-clients
in several subdomains of
). It appears my issue is solved.
Looking forward to hear what the Microsoft guys say.
On 21 June 2017 at 00:41, Alexander Bokovoy <abokovoy(a)redhat.com> wrote:
On ti, 20 kesä 2017, Robert Johnson wrote:
> I ran into this exact same problem with my IPA domain in a one way
> external
> trust to our Windows 2012 R2 AD forest. It appears that Microsoft may
> have
> removed the routing suffix option from the Windows 2012 R2 native forest
> trust gui. My solution was to follow the instructions in the "Define host
> name-to-Kerberos realm mappings" section of this document from Microsoft:
>
https://support.microsoft.com/en-us/help/947706/windows-serv
> er-2008-group-policy-settings-for-interoperability-with-non-
> microsoft-kerberos-realms
>
This document is not about a type of trust FreeIPA is using in the case
of external trust to AD (neither in a normal cross-forest trust).
.
>
> Assuming the IPA realm name is the same as the domain name you would use:
> Value Name:
I.RDMEDIA.COM
> Value: .i.rdmedia.com (Notice the period at the beginning of the
> domain name)
>
> I applied the GPO to all of my workstations (not the servers) but I don't
> see any harm across all the windows systems.
>
It looks like the GPO change is more of a Kerberos settings modification
on AD side that basically is equivalent of krb5.conf's [domain_realm]
section and is not really related to the technology of the trust.
BTW, I reproduced the original issue in a lab at the interop here at
Microsoft HQ and I'm going to talk to Microsoft guys to find out what is
happening there in reality.
> Rob Johnson
>
> On Tue, Jun 20, 2017 at 3:04 PM, Alexander Bokovoy via FreeIPA-users <
> freeipa-users(a)lists.fedorahosted.org> wrote:
>
> On ti, 20 kesä 2017, Tiemen Ruiten via FreeIPA-users wrote:
>>
>> Please see the attached screenshot for the Trust settings, and thank you
>>> for your time.
>>>
>>> Thanks. I'm not sure why is that happening even for the immediate forest
>> root domain that
i.rdmedia.com is. I'll check with Microsoft doc help
>> team while here at the Redmond Interop 2017.
>>
>>
>> --
>> / Alexander Bokovoy
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedo
>>
rahosted.org
>>
>>
--
/ Alexander Bokovoy