On Fri, Apr 19, 2013 at 12:37:30PM +0200, Natxo Asenjo wrote: > I modified /etc/sysconfig/network > HOSTNAME=kdc.ipa.asenjo.nx > > rebooted the host. Re-ran > > # smbclient -L kdc.ipa.asenjo.nx -klp_load_ex: changing to config backend > registry > Domain=[IPA] OS=[Unix] Server=[Samba 4.0.0rc4] > > Sharename Type Comment > --------- ---- ------- > IPC$ IPC IPC Service (Samba 4.0.0rc4) > Domain=[IPA] OS=[Unix] Server=[Samba 4.0.0rc4] > > Tha was ok. > > re-ran: > > # ipa trust-add --type=ad ad.asenjo.nx --admin Administrator --password > Active directory domain administrator's password: > ----------------------------------------------------- > Added Active Directory trust for realm "ad.asenjo.nx" > ----------------------------------------------------- > Realm name: ad.asenjo.nx > Domain NetBIOS name: AD > Domain Security Identifier: S-1-5-21-2508008360-1834726910-79835928 > Trust direction: Two-way trust > Trust type: Active Directory domain > Trust status: Established and verified > > And it is working :-) > > Awesome.
Great. Please note that having hostname to return a fully qualified host name is not a new requirement coming with the trust feature. It was always recommended because also other services like sshd, httpd, sssd might have problems finding the right Kerberos keys from their keytabs. bye, Sumit > > Thanks! > > -- > groet, > natxo > > > -- > Groeten, > natxo > > > On Fri, Apr 19, 2013 at 12:11 PM, Sumit Bose <[email protected]> wrote: > > > On Fri, Apr 19, 2013 at 11:45:47AM +0200, Natxo Asenjo wrote: > > > I saw there is a log in /var/log/samba/log.wb-IPA > > > > > > The log complains about missing keys for the spn for the hostname (not > > the > > > fqdn, just the hostname): > > > > > > Connection to LDAP server failed for the 15 try! > > > [2013/04/19 11:39:22.352522, 0] ipa_sam.c:3689(bind_callback_cleanup) > > > kerberos error: code=-1765328203, message=Keytab contains no suitable > > > keys for cifs/[email protected] > > > > Can you check if > > > > $ hostname > > > > returns the fully qualified hostname, if not, please fix this, call > > ipactl stop and ipactl start and try again. > > > > bye, > > Sumit > > > > > > > > > > > -- > > > Groeten, > > > natxo > > _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
