Am Mon, Apr 26, 2021 at 08:32:51AM -0000 schrieb iulian roman via FreeIPA-users:
I checked /etc/krb5.conf and it is mapped. I have tried as well the
bellow scenario, which might help in troubleshooting:
Hi,
so if you have a line
example.local = IPADEV.EXAMPLE.LOCAL
this is wrong, it should be
example.local = EXAMPLE.LOCAL
i.e. ask a DC from EXAMPLE.LOCAL for services in the example.local DNS
domain.
HTH
bye,
Sumit
- If i configure trust with a different AD domain (the one created for test, with only
one DC behind AD domain) , the same IPA domain works properly. The only difference is that
in sssd logs i do not see any reference to
ldap/dccontroller.example.local(a)IPADEV.EXAMPLE.LOCAL and no GSSAPI errors, it seems it
does not ask for that ldap service Kerberos ticket at all, or is asking for a different
service ticket.
Another difference between the PRD environment and TEST environment is : ipa domain is
a subdomain for the main AD domain (IPA domain is ipadev.example.local and the AD domain
is example.local) , but for the test AD i have ipa domain ipadev.example.local and AD
domain is example.intern (therefore no domain/subdomain relationship between them).
The test AD domain I tried (and which works) does use Windows Server 2012 and the main AD
domain (which does not work) uses a mix of Windows Server 2012 and Windows Server 2016
operating systems.
There might be other differences as well, but I do not know exactly where to look into (I
do not manage the AD).
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure