On Аўт, 27 мая 2025, R Engineer via FreeIPA-users wrote:
now i have another problem. the ad login now works on every server in
the environment and i can do sudo with the ad user. except on the
freeipa server itself. in the logfiles i see the following error:
[krb5_child[12224]] [map_krb5_error] (0x0040): [RID#138] 2487:
[-1765328377][Error constructing AP-REQ armor: Server
krbtgt/[email protected] not found in Kerberos database]
any tips? i haven't got any further with google (yet)...
If Kerberos request is of type krbtgt/TRUSTED_DOMAIN@TRUSTING_DOMAIN,
this means SSSD needs a ticket to talk to the trusted domain's domain
controllers on behalf of the trusted user. This requires bi-directional
trust.
See sections 7.3 and 7.4 of the IdM documentation for trust to AD:
https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/planning_identity_management/planning-a-cross-forest-trust-between-idm-and-ad_planning-identity-management#one-way-trusts-and-two-way-trusts_planning-a-cross-forest-trust-between-idm-and-ad
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
