I have ipa domain with AD trust. id ad_users@ad_domain works. su ad_users@ad_domain works. kinit ad_users@ad_domain don't works in ubuntu but works in centos 7 What? /etc/krb5.conf is the same. ipa servers work on centos 7. Ipa client work on ubuntu 14.04 or 16.04. I also can't get access from AD member windos to SAMBA shares on IPA members linux,
What can i do?
Oh, I forgot to say about error! For kinit AD user i get: kinit: KDC reply did not match expectations while getting initial credentials
My krb5.conf:
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults] default_realm = FS.LAN dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h dns_canonicalize_hostname = false forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid}
[realms] FS.LAN = { pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm] .fs.lan = FS.LAN fs.lan = FS.LAN
On Wed, Jan 03, 2018 at 07:56:57PM +0700, Николай Савельев via FreeIPA-users wrote:
I have ipa domain with AD trust. id ad_users@ad_domain works. su ad_users@ad_domain works. kinit ad_users@ad_domain don't works in ubuntu but works in centos 7 What? /etc/krb5.conf is the same. ipa servers work on centos 7. Ipa client work on ubuntu 14.04 or 16.04. I also can't get access from AD member windos to SAMBA shares on IPA members linux,
What can i do?
Oh, I forgot to say about error! For kinit AD user i get: kinit: KDC reply did not match expectations while getting initial credentials
Then using 'kinit -C ...' or 'canonicalize= true' in krb5.conf should help.
bye, Sumit
My krb5.conf:
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults] default_realm = FS.LAN dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h dns_canonicalize_hostname = false forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid}
[realms] FS.LAN = { pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm] .fs.lan = FS.LAN fs.lan = FS.LAN
-- С уважением, Николай. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
On ke, 03 tammi 2018, Sumit Bose via FreeIPA-users wrote:
On Wed, Jan 03, 2018 at 07:56:57PM +0700, Николай Савельев via FreeIPA-users wrote:
I have ipa domain with AD trust. id ad_users@ad_domain works. su ad_users@ad_domain works. kinit ad_users@ad_domain don't works in ubuntu but works in centos 7 What? /etc/krb5.conf is the same. ipa servers work on centos 7. Ipa client work on ubuntu 14.04 or 16.04. I also can't get access from AD member windos to SAMBA shares on IPA members linux,
What can i do?
Oh, I forgot to say about error! For kinit AD user i get: kinit: KDC reply did not match expectations while getting initial credentials
Then using 'kinit -C ...' or 'canonicalize= true' in krb5.conf should help.
A bit of caution: Ubuntu may use Heimdal and their parser for krb5.conf does not know about 'canonicalize' option at all, so you'd have always use 'kinit --canonicalize' when running with Heimdal.
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Sumit Bose -
Николай Савельев