On Wed, Aug 30, 2017 at 10:45:11AM -0000, bogusmaster--- via FreeIPA-users wrote:
Behavior that I described above pertains to Windows 2008 R2. When I attempt at doing exactly the same with AD set up on top of Windows 2012, it works flawlessly. Unfortunately, environment I have to set up trust with uses Windows 2008 R2. I am wondering what might be the difference between these two versions that prevent trust from working in case of Windows 2008 R2.
Can you send the KRB5_TRACE output for the 2012 case as well. What looks suspicious to me in the 2008R2 output is
TGS reply is for testuser@DOMAIN.COM -> krbtgt/ipa.domain.com@DOMAIN.COM with session key aes256-cts/C0B1
I would expect krbtgt/IPA.DOMAIN.COM@DOMAIN.COM here. AD typically does not care about cases in Kerberos principal but IPA's MIT Kerberos KDC does (because the RFC says Kerberos is case-sensitive).
bye, Sumit
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org