Good morning,

I have recently setup an environment with FreeIPA 4.6.4-10 using CentOS 7 as the IPA Master. After setting up I joined the IPA master to the local AD and everything seemed to work fine.

The issue I'm facing is that after adding the external and POSIX group's I can authenticate to the IPA Master as an AD user but the server with the IPA client doesn't appear to be able to authenticate AD users.

The client server is unable to run getent or kinit against any ad user and returns 'Cannot find KDC for realm "<ad domain>"...'

From the krb5kdc log I can see what looks to be an issue with the TGS request, and the errors TGS_REQ ISSUE: authtime as well as AS_REQ: NEEDED_PREAUTH additional preauth required.

I have enabled debug logs for SSSD but nothing except sigterms has been logged so far.

Please let me know if I can send any logs.

Kind regards,

HP