No. Also they said that they opened up the firewall for all the ports.
[root@server01 /]# kinit 018443(a)abc.com
Password for 018443(a)abc.com:
kinit: KDC policy rejects request while getting initial credentials
Could it be trying to use krb5.keytab? Is it unique to each instance. Since it was
removed from the realm, will it need to have a new keytab generated. Is that a local
verification or do we also have to do something on the AD server?
Sonia Gilbert, -Engineer II, Information Protection & Compliance Team
3375 Koapaka Street, 3rd Floor, Honolulu, HI 96819 | P: 808.564.7503
Sonia.Gilbert(a)HawaiianAir.com
-----Original Message-----
From: Jakub Hrozek [mailto:jhrozek@redhat.com]
Sent: Wednesday, February 01, 2017 10:35 PM
To: sssd-users(a)lists.fedorahosted.org
Subject: [SSSD-users] Re: account not authenticating in child domain
On Wed, Feb 01, 2017 at 08:06:53PM +0000, Gilbert, Sonia wrote:
Can't open the bug. I get the following error.
"You are not authorized to access bug #1293168.
Most likely the bug has been restricted for internal development processes and we cannot
grant access.
If you are a Red Hat customer with an active subscription, please
visit the Red Hat Customer Portal for assistance with your issue
If you are a Fedora Project user and require assistance, please consider using one of the
mailing lists we host for the Fedora Project."
Update on current situation:
Removed it from the realm but now it will not rejoin. Removed two-factor for the server
in AD but still will not accept administrator's password. Suspect that some firewall
rules were removed. Had FW engineer check and he saw 389 blocked. Put in a request for
ports TCP 53, 389, 3268 and UDP 389, 138, 123, 53, 88, and 137 from centos server to AD
server. Waiting for him to implement the rules and will try again.
[root@PHXRASPCI01 ~]# realm join -v -U domainadmin(a)abc.com
abc.com
* Resolving:
_ldap._tcp.abc.com
* Performing LDAP DSE lookup on: x.x.161.252
* Performing LDAP DSE lookup on: x.x.161.251
* Successfully discovered:
abc.com
Password for domainadmin(a)abc.com:
* Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir,
/usr/sbin/sssd, /usr/bin/net
* LANG=C LOGNAME=root /usr/bin/net -s
/var/cache/realmd/realmd-smb-conf.WENPUY -U domainadmin(a)abc.com ads
join
abc.com Enter domainadmin(a)abc.com's
password:kerberos_kinit_password domainadmin(a)ABC.COM failed: KDC
policy rejects request
Are you able to kinit as domainadmin(a)ABC.COM at all?
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org To unsubscribe send an email
to sssd-users-leave(a)lists.fedorahosted.org