FWIW on your EL7 ipa-server you can find the krb-ad stuff under /var/lib/sss/pubconf/ and
/var/lib/sss/pubconf/krb5.include.d/.
Like Alexander says, this config should be reflected in the ipa client's krb config.
HTH
D
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Thursday, April 18, 2019 8:23 AM, Alexander Bokovoy via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
On to, 18 huhti 2019, Henry Pelke via FreeIPA-users wrote:
> Good morning,
> I have recently setup an environment with FreeIPA 4.6.4-10 using CentOS 7
> as the IPA Master. After setting up I joined the IPA master to the local AD
> and everything seemed to work fine.
> The issue I'm facing is that after adding the external and POSIX group's I
> can authenticate to the IPA Master as an AD user but the server with the
> IPA client doesn't appear to be able to authenticate AD users.
> The client server is unable to run getent or kinit against any ad user and
> returns 'Cannot find KDC for realm "<ad domain>"...'
Make sure your clients have Kerberos configuration (in krb5.conf or
/etc/krb5.conf.d/) that defines AD realms or allows to discover AD
realms from DNS.
--------------------------------------------------------------------------------------------------------------------------------------------------------
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...