Thanks a lot, that works if I comment out the explicit reference to a server name, and that I switch dns_lookup_kdc to true.
I think I understand why it was not working from the install: I used the ipa-client-install with the option --server. According to the man page, in the "Failover" section, I understand that "DNS Autodiscovery" is enabled when no "fixed server was passed to the installer", which makes sense a posteriori. I think that closes my topic, thanks again for all the help I got ! On Tue, Jan 5, 2016 at 7:34 PM, Natxo Asenjo <natxo.ase...@gmail.com> wrote: > > > On Tue, Jan 5, 2016 at 7:31 PM, Natxo Asenjo <natxo.ase...@gmail.com> > wrote: > >> includedir /var/lib/sss/pubconf/krb5.include.d/ >> #File modified by ipa-client-install >> >> [libdefaults] >> default_realm = IPA.DOMAIN.TLD >> dns_lookup_realm = true >> dns_lookup_kdc = true >> rdns = false >> ticket_lifetime = 24h >> forwardable = yes >> >> [realms] >> IPA.DOMAIN.TLD = { >> pkinit_anchors = FILE:/etc/ipa/ca.crt >> } >> >> [domain_realm] >> .ipa.domain.tld = IPA.DOMAIN.TLD >> ipa.domain.tld = IPA.DOMAIN.TLD >> >> ]$ cat /etc/krb5.conf >> > > with this config I can reach any realm, by the way, provided it has srv > records. It works for our AD forests as well. > > -- > Groeten, > natxo > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project