Hello,

Apologies for the earlier premature post :)

This list helped me solve a number of issues getting a proof-of-concept ipa-ad cross-forest trust working. I believe there is one final issue, hopefully one of the experts here can have a look at the logs and let me know if anything sticks out.

I am able to SSH into the ipa master using my AD creds, but have not yet been able to ssh into a given ipa client using AD creds.

Here's some details:

1. domain.acme.com is the AD domain, ipa.domain.acme.com is the ipa domain. All ipa clients belong to ipa.domain.acme.com, and they reside in a DNS zone controlled by the ipa server.

2. It's using the posix id range scheme.

3. All configs are fairly stock, and everything set up quite happily using srvs for autodiscovery. There are sites configured, which appear to be working.

4. The ipa clients make no effort to contact the ad servers for KDC or PAC. I have a feeling it doesn't get that far.

5. IPA users can ssh into the ipa clients just fine, ad users cannot.

Thank you for your time,

D