On ma, 11 maalis 2019, Callum Smith via FreeIPA-users wrote:
Dear IPA Gurus
I have a client that's incapable of joining the FreeIPA realm, it's in
a different DNS sub-zone but is in the same realm. I get the feeling
that there's a kerberos principal missing somewhere to get this all to
work, but I can't quite see where it might be. Simple authentication
ldapsearch using cn=Directory Manager functions perfectly well to the
ipa host in question, however anonymous binds are disabled. I'm not
clear why this wouldn't be working.
From the above it is unclear what your problem is.
Can you show what exactly is failing? ipa-client-install is failing?
Show logs from /var/log/ipaclient-install.log. You aren't using FreeIPA
enrollment? How exactly did you try to enroll that client? Show sequence
of commands you ran.
It is not easy to help with no logs and exact steps tried.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland