HI thanks for the replay.
iwas going through the replays and find that you suggested to check firewall and DNS *[root@kwtpocpbis01 ~]# systemctl status firewalld* *firewalld.service - firewalld - dynamic firewall daemon* * Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled)* * Active: inactive (dead)* *[root@kwtpocpbis01 ~]# systemctl status iptables* *iptables.service - IPv4 firewall with iptables* * Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled)* * Active: inactive (dead)* *[root@kwtpocpbis01 ~]# sestatus* *SELinux status: disabled* >From windows (AD) nslookup command like below: *C:\Windows\system32>nslookup.exe* *Default Server: kwttestdc001.kwttestdc.com <http://kwttestdc001.kwttestdc.com>* *Address: 172.16.104.231* *> set type=srv* *> _ldap._tcp.kwttestdc.com <http://tcp.kwttestdc.com>* *Server: kwttestdc001.kwttestdc.com <http://kwttestdc001.kwttestdc.com>* *Address: 172.16.104.231* *_ldap._tcp.kwttestdc.com <http://tcp.kwttestdc.com> SRV service location:* * priority = 0* * weight = 100* * port = 389* * svr hostname = kwttestdc001.kwttestdc.com <http://kwttestdc001.kwttestdc.com>* *kwttestdc001.kwttestdc.com <http://kwttestdc001.kwttestdc.com> internet address = 172.16.104.231* *> _ldap._tcp.solipa.local* *Server: kwttestdc001.kwttestdc.com <http://kwttestdc001.kwttestdc.com>* *Address: 172.16.104.231* *Non-authoritative answer:* *_ldap._tcp.solipa.local SRV service location:* * priority = 0* * weight = 100* * port = 389* * svr hostname = kwtpocpbis01.solipa.local* *kwtpocpbis01.solipa.local internet address = 172.16.107.244* Thsi is from IPA server *[root@kwtpocpbis01 ~]# dig SRV _ldap._tcp.solipa.local* *; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> SRV _ldap._tcp.solipa.local* *;; global options: +cmd* *;; Got answer:* *;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65274* *;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2* *;; OPT PSEUDOSECTION:* *; EDNS: version: 0, flags:; udp: 4000* *;; QUESTION SECTION:* *;_ldap._tcp.solipa.local. IN SRV* *;; ANSWER SECTION:* *_ldap._tcp.solipa.local. 81125 IN SRV 0 100 389 kwtpocpbis01.solipa.local.* *;; ADDITIONAL SECTION:* *kwtpocpbis01.solipa.local. 1101 IN A 172.16.107.244* *;; Query time: 0 msec* *;; SERVER: 172.16.104.231#53(172.16.104.231)* *;; WHEN: Tue Mar 03 13:28:35 AST 2015* *;; MSG SIZE rcvd: 113* *[root@kwtpocpbis01 ~]# dig SRV _ldap._tcp.kwttestdc.com <http://tcp.kwttestdc.com>* *; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> SRV _ldap._tcp.kwttestdc.com <http://tcp.kwttestdc.com>* *;; global options: +cmd* *;; Got answer:* *;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43860* *;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2* *;; OPT PSEUDOSECTION:* *; EDNS: version: 0, flags:; udp: 4000* *;; QUESTION SECTION:* *;_ldap._tcp.kwttestdc.com <http://tcp.kwttestdc.com>. IN SRV* *;; ANSWER SECTION:* *_ldap._tcp.kwttestdc.com <http://tcp.kwttestdc.com>. 600 IN SRV 0 100 389 kwttestdc001.kwttestdc.com <http://kwttestdc001.kwttestdc.com>.* *;; ADDITIONAL SECTION:* *kwttestdc001.kwttestdc.com <http://kwttestdc001.kwttestdc.com>. 3600 IN A 172.16.104.231* *;; Query time: 0 msec* *;; SERVER: 172.16.104.231#53(172.16.104.231)* *;; WHEN: Tue Mar 03 13:28:43 AST 2015* *;; MSG SIZE rcvd: 115* and there is no replica server too Regards, Ben On Mon, Mar 2, 2015 at 11:27 PM, Alexander Bokovoy <[email protected]> wrote: > On Mon, 02 Mar 2015, Ben .T.George wrote: > >> Hi please find below output >> >> [root@kwttstfreipa01 ~]# kinit admin >> Password for [email protected]: >> >> [root@kwttstfreipa01 ~]# id admin >> uid=756800000(admin) gid=756800000(admins) groups=756800000(admins) >> >> >> [root@kwttstfreipa01 ~]# KRB5_TRACE=/dev/stderr kvno -S cifs >> kwttestdc001.kwttestdc.com >> [16898] 1425327238.662939: Convert service cifs (service with host as >> instance) on host kwttestdc001.kwttestdc.com to principal >> [16898] 1425327238.663650: Remote host after forward canonicalization: >> kwttestdc001.kwttestdc.com >> [16898] 1425327238.663684: Remote host after reverse DNS processing: >> kwttestdc001.kwttestdc.com >> [16898] 1425327238.663728: Get host realm for kwttestdc001.kwttestdc.com >> [16898] 1425327238.663742: Use local host kwttestdc001.kwttestdc.com to >> get >> host realm >> [16898] 1425327238.663749: Look up kwttestdc001.kwttestdc.com in the >> domain_realm map >> [16898] 1425327238.663757: Look up .kwttestdc.com in the domain_realm map >> [16898] 1425327238.663764: Temporary realm is KWTTESTDC.COM >> [16898] 1425327238.663771: Got realm KWTTESTDC.COM for host >> kwttestdc001.kwttestdc.com >> [16898] 1425327238.663792: Got service principal cifs/ >> [email protected] >> [16898] 1425327238.663818: Getting credentials [email protected] -> >> cifs/ >> [email protected] using ccache >> KEYRING:persistent:0:0 >> [16898] 1425327238.664257: Retrieving [email protected] -> cifs/ >> [email protected] from KEYRING:persistent:0:0 with >> result: -1765328243/Matching credential not found >> [16898] 1425327238.664381: Retrieving [email protected] -> >> krbtgt/[email protected] from KEYRING:persistent:0:0 with >> result: >> -1765328243/Matching credential not found >> [16898] 1425327238.664500: Retrieving [email protected] -> >> krbtgt/[email protected] from KEYRING:persistent:0:0 with result: >> 0/Success >> [16898] 1425327238.664516: Starting with TGT for client realm: >> [email protected] -> krbtgt/[email protected] >> [16898] 1425327238.664608: Retrieving [email protected] -> >> krbtgt/[email protected] from KEYRING:persistent:0:0 with >> result: >> -1765328243/Matching credential not found >> [16898] 1425327238.664622: Requesting TGT krbtgt/KWTTESTDC.COM@SOLIPA. >> LOCAL >> using TGT krbtgt/[email protected] >> [16898] 1425327238.664690: Generated subkey for TGS request: >> aes256-cts/F74E >> [16898] 1425327238.664818: etypes requested in TGS request: aes256-cts, >> aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts >> [16898] 1425327238.665062: Encoding request body and padata into FAST >> request >> [16898] 1425327238.665256: Sending request (1486 bytes) to SOLIPA.LOCAL >> [16898] 1425327238.665597: Initiating TCP connection to stream >> 172.16.107.250:88 >> [16898] 1425327238.665802: Sending TCP request to stream >> 172.16.107.250:88 >> [16898] 1425327238.673061: Received answer from stream 172.16.107.250:88 >> [16898] 1425327238.673285: Response was from master KDC >> [16898] 1425327238.673342: Decoding FAST response >> [16898] 1425327238.673574: FAST reply key: aes256-cts/9134 >> [16898] 1425327238.673650: TGS reply is for [email protected] -> >> krbtgt/[email protected] with session key aes256-cts/4F6F >> [16898] 1425327238.673691: TGS request result: 0/Success >> [16898] 1425327238.673753: Removing [email protected] -> >> krbtgt/[email protected] from KEYRING:persistent:0:0 >> [16898] 1425327238.673768: Storing [email protected] -> >> krbtgt/[email protected] in KEYRING:persistent:0:0 >> [16898] 1425327238.673933: Received TGT for service realm: >> krbtgt/[email protected] >> [16898] 1425327238.673950: Requesting tickets for cifs/ >> [email protected], referrals on >> [16898] 1425327238.673998: Generated subkey for TGS request: >> aes256-cts/8623 >> [16898] 1425327238.674084: etypes requested in TGS request: aes256-cts, >> aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts >> [16898] 1425327238.674238: Encoding request body and padata into FAST >> request >> [16898] 1425327238.674395: Sending request (1531 bytes) to KWTTESTDC.COM >> [16898] 1425327238.676086: Resolving hostname kwttestdc001.kwttestdc.com. >> [16898] 1425327238.678096: Resolving hostname kwttestdc001.kwttestdc.com. >> [16898] 1425327238.678907: Initiating TCP connection to stream >> 172.16.104.231:88 >> [16898] 1425327238.679404: Sending TCP request to stream >> 172.16.104.231:88 >> [16898] 1425327238.681292: Received answer from stream 172.16.104.231:88 >> [16898] 1425327238.682088: Response was not from master KDC >> [16898] 1425327238.682142: TGS request result: -1765328372/KDC policy >> rejects request >> [16898] 1425327238.682161: Requesting tickets for cifs/ >> [email protected], referrals off >> [16898] 1425327238.682212: Generated subkey for TGS request: >> aes256-cts/50DA >> [16898] 1425327238.682283: etypes requested in TGS request: aes256-cts, >> aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts >> [16898] 1425327238.682391: Encoding request body and padata into FAST >> request >> [16898] 1425327238.682499: Sending request (1531 bytes) to KWTTESTDC.COM >> [16898] 1425327238.683871: Resolving hostname kwttestdc001.kwttestdc.com. >> [16898] 1425327238.684756: Resolving hostname kwttestdc001.kwttestdc.com. >> [16898] 1425327238.685461: Initiating TCP connection to stream >> 172.16.104.231:88 >> [16898] 1425327238.685864: Sending TCP request to stream >> 172.16.104.231:88 >> [16898] 1425327238.687136: Received answer from stream 172.16.104.231:88 >> [16898] 1425327238.687793: Response was not from master KDC >> [16898] 1425327238.687832: TGS request result: -1765328372/KDC policy >> rejects request >> kvno: KDC policy rejects request while getting credentials for cifs/ >> [email protected] >> > Last line tells that trust is not working. > > Read discussion in this thread: > https://www.redhat.com/archives/freeipa-users/2015-February/msg00397.html > and follow recommendations there, it was just last week here. > -- > / Alexander Bokovoy >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
