On Wed, Sep 28, 2016 at 11:30:56AM +0200, Troels Hansen wrote: > > > Yes, this makes sense as well. If you are not in the forest root you > > first need a cross-realm TGT for your domain and the forest root. Then > > you need a cross-realm TGT for the forest root and the IPA domain. > > > > As a next step you should see a request to the IPA KDC to get the actual > > service ticket for the host in the IPA domain. > > Yes, this is the traffic that's never seen in the capture. > It seems Windows(Putty) never asks for at host ticket for the IPA host. I > receive the krbtgt for the IPA domain, but never sees any traffic from the > Windows client to IPA, and thus, never receives the host ticket on the > Windows client.
Please check the other traffic on the client after receiving the cross-realm ticket for the IPA domain. Since the client get the name to the IPA realm from the AD DC in the last response I would expect that it will try some DNS SRV lookups to find a KDC in the IPA realm. HTH bye, Sumit > > I'm not at all sure how Kerberos works in Putty, but it seems it uses its own > Kerberos libraryes and that these fail. > > I Linux not joined to IPA, just installed with kerberos and use dns config in > krb5.conf can kinit in the NET domain, and ssh to IPA using kerberos just > fine, so it seems the problem just relates to putty. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
