[Freeipa-users] problems with trust with AD (2 different domains

Fri Apr 19 09:38:03 UTC 2013

On Fri, Apr 19, 2013 at 11:27 AM, Sumit Bose <sbose at redhat.com> wrote:

> On Fri, Apr 19, 2013 at 11:03:02AM +0200, Natxo Asenjo wrote:
> > hi,
> >
> > while following the instructions in
> >
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-diff-dns-domains.html
> >
> > I run step 9:
> >
> > smbclient -L kdc.ipa.asenjo.nx -k
> > lp_load_ex: changing to config backend registry
> > Connection to kdc.ipa.asenjo.nx failed (Error
> NT_STATUS_CONNECTION_REFUSED)
> >
> > I have a valid ticket:
> >
> > # klist
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: admin at IPA.ASENJO.NX
> >
> > Valid starting     Expires            Service principal
> > 04/19/13 08:46:48  04/20/13 08:46:48  krbtgt/IPA.ASENJO.NX at IPA.ASENJO.NX
> > 04/19/13 08:56:59  04/20/13 08:46:48
>  HTTP/kdc.ipa.asenjo.nx at IPA.ASENJO.NX
>
> did ipa-adtrust-install finished successfully?
>
>
yes

> Can you check if there is a cifs service:
>
> $ ipa service show cifs/kdc.ipa.asenjo.nx at IPA.ASENJO.NX
>

 # ipa service-show cifs/kdc.ipa.asenjo.nx at IPA.ASENJO.NX
  Principal: cifs/kdc.ipa.asenjo.nx at IPA.ASENJO.NX
  Keytab: True
  Managed by: kdc.ipa.asenjo.nx

> the output should show 'Keytab: True'
>
>

> Then please check if samba knows about the keytab and it's content.
>
> $ net conf list
>
> should contain 'kerberos method = dedicated keytab' and
> 'dedicated keytab file = FILE:/etc/samba/samba.keytab'
>
>
# net conf list | grep keytab
    kerberos method = dedicated keytab
    dedicated keytab file = FILE:/etc/samba/samba.keytab

> $ klist -ekt /etc/samba/samba.keytab
>
> should show entries with different encryption types.
> Next please try to get a ticket for this service:
>
> $ kvno cifs/kdc.ipa.asenjo.nx at IPA.ASENJO.NX
>
>
 # kvno cifs/kdc.ipa.asenjo.nx at IPA.ASENJO.NX
cifs/kdc.ipa.asenjo.nx at IPA.ASENJO.NX: kvno = 1
[root at kdc ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin at IPA.ASENJO.NX

Valid starting     Expires            Service principal
04/19/13 08:46:48  04/20/13 08:46:48  krbtgt/IPA.ASENJO.NX at IPA.ASENJO.NX
04/19/13 08:56:59  04/20/13 08:46:48  HTTP/kdc.ipa.asenjo.nx at IPA.ASENJO.NX
04/19/13 11:33:19  04/20/13 08:46:48  cifs/kdc.ipa.asenjo.nx at IPA.ASENJO.NX

klist should now list the ticket. Please try the smbclient command
> agains.
>

# smbclient -L kdc.ipa.asenjo.nx -k
lp_load_ex: changing to config backend registry
Connection to kdc.ipa.asenjo.nx failed (Error NT_STATUS_CONNECTION_REFUSED)

Thanks,

-- 
groet,
natxo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130419/c1e78a51/attachment.htm>