On Mon, Sep 26, 2016 at 01:11:49PM +0200, Troels Hansen wrote: > > > ----- On Sep 26, 2016, at 10:18 AM, Sumit Bose [email protected] wrote: > > > > > Have you checked the firewalls? AD clients must be able to talk to the > > KDC port (88 udp and tcp) on the IPA servers to get service tickets for > > IPA hosts. > > > > > KDC ports seems to work.... Besides, I don't have a TGT for the IPA (LX) > domain, untill I try to SSH to it. I guess I shouldn't be able to if KDC > traffic was blocked?
The cross-realm TGT 'krbtgt/LX.DR.DK @ PLACE.DR.DK' is issued by the AD DC. So this is not indication that the IPA KDC can be reached by the AD client. Do you see and log messages in the krb5kdc.log on the IPA server? If it is not the firewall I would suggest to record the IP traffic of the AD client and check what it tries to do after the AD DC send the cross-realm TGT. About the DNS SRV records, did you add matching records for _udp as well? I'm not sure if the AD client will fallback to _tcp if they are missing or just stop? HTH bye, Sumit -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
