https://access.redhat.com/documentation/en-US/Red_Hat_ Enterprise_Linux/7/html/Windows_Integration_Guide/ trust-requirements.html#trust-req-ports
these port are required for trust. Is port 88 required to open from ipa client to AD? On Mon, Oct 10, 2016 at 5:23 AM, rajat gupta <[email protected]> wrote: > Hi, > > I am trying to setup the freeipa Active Directory trust setup and i am > following > the http://www.freeipa.org/page/Active_Directory_trust_setup > documentation. > > I am able to login on freeipa Server with AD users. > > But when i am trying to login with some other IPA client machine I am not > able to to login with AD user. > > Required firewall port is opened between freeipa server to AD server and > freeipa server to freeipa clinets > > There is no firewall port is opened between from freeipa client to AD > server. > > ================================================================= > against addomain from ipaserver :- > > ipa01 ~]# KRB5_TRACE=/dev/stdout kinit [email protected] > [24633] 1476069033.462976: Resolving unique ccache of type KEYRING > [24633] 1476069033.463027: Getting initial credentials for > [email protected] > [24633] 1476069033.465229: Sending request (183 bytes) to AD.ADDOMAIN.COM > [24633] 1476069033.471891: Resolving hostname ad1.ad.addomain.com > [24633] 1476069033.474439: Sending initial UDP request to dgram > 192.168.20.100:88 > [24633] 1476069033.487765: Received answer (212 bytes) from dgram > 192.168.20.100:88 > [24633] 1476069033.488098: Response was not from master KDC > [24633] 1476069033.488136: Received error from KDC: -1765328359/Additional > pre-authentication required > [24633] 1476069033.488179: Processing preauth types: 16, 15, 19, 2 > [24633] 1476069033.488192: Selected etype info: etype aes256-cts, salt > "AD.ADDOMAIN.COMRajat.Gupta", params "" > [24633] 1476069033.488215: PKINIT client has no configured identity; > giving up > [24633] 1476069033.488233: PKINIT client has no configured identity; > giving up > [24633] 1476069033.488242: Preauth module pkinit (16) (real) returned: > 22/Invalid argument > [24633] 1476069033.488250: PKINIT client has no configured identity; > giving up > [24633] 1476069033.488255: Preauth module pkinit (14) (real) returned: > 22/Invalid argument > Password for [email protected]: > > this is working fine. > ================================================================= > > > ================================================================= > against addomain from ipaclinet :- > > *ipaclinet ~] # KRB5_TRACE=/dev/stdout kinit [email protected] > <[email protected]>[4133] 1476067599.43421: Getting initial > credentials for [email protected] <http://AD.ADDOMAIN.COM>[4133] > 1476067599.43599: Sending request (183 bytes) to AD.ADDOMAIN.COM > <http://AD.ADDOMAIN.COM>* > *[4133] 1476067599.49544: Resolving hostname * > *ad1.ad.addomain.com <http://ad1.ad.addomain.com>.* > *[4133] 1476067599.53762: Sending initial UDP request to dgram > 192.168.20.100* > > NOT WORKING > ================================================================= > > ================================================================= > against ipdomain from ipaclinet > > # KRB5_TRACE=/dev/stdout kinit [email protected] > [4914] 1476068067.763574: Getting initial credentials for > [email protected] > [4914] 1476068067.763889: Sending request (177 bytes) to > IPA.IPASERVER.LOCAL > [4914] 1476068067.764033: Initiating TCP connection to stream > 10.246.104.14:88 > [4914] 1476068067.765089: Sending TCP request to stream 192.168.100.100:88 > [4914] 1476068067.767593: Received answer (356 bytes) from stream > 192.168.100.100:88 > [4914] 1476068067.767603: Terminating TCP connection to stream > 192.168.100.100:88 > [4914] 1476068067.767661: Response was from master KDC > [4914] 1476068067.767685: Received error from KDC: -1765328359/Additional > pre-authentication required > [4914] 1476068067.767730: Processing preauth types: 136, 19, 2, 133 > [4914] 1476068067.767742: Selected etype info: etype aes256-cts, salt > "k},(k&+qA)Mosf6z", params "" > [4914] 1476068067.767747: Received cookie: MIT > Password for [email protected]: > > this is working fine. > ================================================================= > > > it looks for password-based authentication requests, the IPA clients > connect directly to the AD servers using Kerberos. > > then there is port firewall opening required between ipaclinet and AD > Server as well. Is it required ? OR I am doing something wrong. > > /Rajat > > > > > > > > > -- > > *Rajat Gupta * > -- *Rajat Gupta *
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
