On 14/11/2019 11:44, Alexander Bokovoy wrote: > On to, 14 marras 2019, lejeczek via FreeIPA-users wrote: >> hi guys >> >> I've have AD trust work fine (gssapi), ssh & samba are password-less >> when the trust is establish with 'admin' credentials. >> >> But the strory is very different with 'shared secret'. Kerberos does not >> work, passwords are asked for and with Windows cifs - asks for username >> and no authentication even with passwords! >> >> And this weird bit, I do: >> >> $ ipa trust-add --all --two-way=0 --type=ad bec.private.mac.ac.uk >> --trust-secret --server=win8-vm.bec.private.mac.ac.uk >> >> Shared secret for the trust: >> >> ... >> >> Here, for the 'secret' I can punch in anything and IPA will say that the >> trust was added successfully - this surely must not be right, right? >> >> So, should 'secret' work for one-way incoming trust in IPA? To me, it >> does not seem like. > > It very much depends what RHEL/CentOS version do you use. What > ipa-server package version? You need RHEL 7.7 as a base.
IPA version in the subject. I'm on Centos 7.7.1908. thanks, L. > > See https://bugzilla.redhat.com/show_bug.cgi?id=1757507 > > However, there is a catch. If you have more than one domain in your IPA > deployment that is not subdomain of the primary IPA domain (e.g. > example.test and anotherdomain.test where example.test is primary IPA > domain), then GSSAPI authentication to anotherdomain.test would not work > from Windows machines. This is because we don't yet have implementation > of the APIs expected by Active Directory domain controllers to retrieve > the forest topology from IPA side and we cannot update it on AD DC side > from IPA without admin credentials. > > >
pEpkey.asc
Description: application/pgp-keys
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org