Robert Sturrock <[email protected]> writes: > Hi Dmitri, > > Sorry - I did not give all the background in the interests of brevity. > We do not want to establish a full trust between AD and IPA (at this > stage). This is for a number of reasons, but is primarily a > reluctance to bring a very large and entirely irrelevant set of AD > groups across to IPA-enrolled hosts. > > The IPA installation is running in a ‘winsync’ arrangement with AD, > but as a convenience for the users it would be useful if a TGT from AD > were sufficient to access services in the IPA realm, to save them > having to ‘kinit' to another kerberos realm. > > So I’m interested in establishing a trust at the Kerberos level only. > We have done this successfully between a legacy MIT kerberos service > and IPA, so I hoped we could also set one up between AD and IPA, > before running into the error I described. > > Any clues as to what the reason for the ‘HANDLE_AUTHDATA’ error might be?
For context, the full error is:
kvno: KDC returned error string: HANDLE_AUTHDATA while getting credentials
for host/[email protected]
Anyway, first step is to check the KDC logs (since that's who generated
the error) - there's possibly more information there.
Thanks,
--Robbie
signature.asc
Description: PGP signature
________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
