Hi All,

I am setting up a one-way trust from FreeIPA server to AD domain with a pre-shared key.

It seems that it was set up successfully but I cannot verify the Kerberos configuration when I follow the steps described here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm....

Although I successfuly kinit with a username from AD domain and obtain a ticket:

klist Ticket cache: KEYRING:persistent:0:0 Default principal: testuser@DOMAIN.COM

Valid starting Expires Service principal 08/22/2017 09:47:41 08/22/2017 19:47:41 krbtgt/DOMAIN.COM@DOMAIN.COM renew until 08/23/2017 09:47:34

I am not able to request service tickets for a service within IdM domain:

[root@idm1 ~]# KRB5_TRACE=/dev/stdout kvno -S host idm1.ipa.domain.com [16119] 1503409696.153004: Getting credentials testuser@DOMAIN.COM -> host/idm1.ipa.domain.com@IPA.DOMAIN.COM using ccache KEYRING:persistent:0:0 [16119] 1503409696.153288: Retrieving testuser@DOMAIN.COM -> host/idm1.ipa.domain.com@IPA.DOMAIN.COM from KEYRING:persistent:0:0 with result: -1765328243/Matching credential not found [16119] 1503409696.153422: Retrieving testuser@DOMAIN.COM -> krbtgt/IPA.DOMAIN.COM@IPA.DOMAIN.COM from KEYRING:persistent:0:0 with result: -1765328243/Matching credential not found [16119] 1503409696.153520: Retrieving testuser@DOMAIN.COM -> krbtgt/DOMAIN.COM@DOMAIN.COM from KEYRING:persistent:0:0 with result: 0/Success [16119] 1503409696.153536: Starting with TGT for client realm: testuser@DOMAIN.COM -> krbtgt/DOMAIN.COM@DOMAIN.COM [16119] 1503409696.153600: Retrieving testuser@DOMAIN.COM -> krbtgt/IPA.DOMAIN.COM@IPA.DOMAIN.COM from KEYRING:persistent:0:0 with result: -1765328243/Matching credential not found [16119] 1503409696.153609: Requesting TGT krbtgt/IPA.DOMAIN.COM@DOMAIN.COM using TGT krbtgt/DOMAIN.COM@DOMAIN.COM [16119] 1503409696.153663: Generated subkey for TGS request: aes256-cts/A13D [16119] 1503409696.153718: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts, des-cbc-crc, des, des-cbc-md4 [16119] 1503409696.153875: Encoding request body and padata into FAST request [16119] 1503409696.153942: Sending request (1851 bytes) to DOMAIN.COM [16119] 1503409696.154236: Resolving hostname domain.com [16119] 1503409696.290796: Initiating TCP connection to stream 10.10.10.10:88 [16119] 1503409696.398086: Sending TCP request to stream 10.10.10.10:88 [16119] 1503409696.836098: Received answer (1551 bytes) from stream 10.10.10.10:88 [16119] 1503409696.836121: Terminating TCP connection to stream 10.10.10.10:88 [16119] 1503409696.836212: Response was from master KDC [16119] 1503409696.836258: Decoding FAST response [16119] 1503409696.836423: TGS reply is for testuser@DOMAIN.COM -> krbtgt/ipa.domain.com@DOMAIN.COM with session key aes256-cts/C0B1 [16119] 1503409696.836454: TGS request result: 0/Success [16119] 1503409696.836461: Received TGT for offpath realm ipa.domain.com [16119] 1503409696.836468: Requesting TGT krbtgt/IPA.DOMAIN.COM@ipa.domain.com using TGT krbtgt/ipa.domain.com@DOMAIN.COM [16119] 1503409696.836486: Generated subkey for TGS request: aes256-cts/743D [16119] 1503409696.836523: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts, des-cbc-crc, des, des-cbc-md4 [16119] 1503409696.836579: Encoding request body and padata into FAST request [16119] 1503409696.836648: Sending request (1854 bytes) to ipa.domain.com [16119] 1503409696.904352: Resolving hostname idm1.ipa.domain.com. [16119] 1503409696.938147: Sending initial UDP request to dgram 10.10.10.11:88 [16119] 1503409696.943465: Received answer (146 bytes) from dgram 10.10.10.11:88 [16119] 1503409696.977047: Response was from master KDC [16119] 1503409696.977102: TGS request result: -1765328353/Decrypt integrity check failed kvno: Decrypt integrity check failed while getting credentials for host/idm1.ipa.domain.com@IPA.DOMAIN.COM

Can you please advise me on how to resolve this issue?

Bart