[EXT] 'HANDLE_AUTHDATA' error when trying to setup Kerberos trust between AD and FreeIPA

Robbie Harwood rharwood at redhat.com
Tue Jun 16 07:06:39 EDT 2020


Robert Sturrock <rns at unimelb.edu.au> writes:

> Hi Dmitri,
>
> Sorry - I did not give all the background in the interests of brevity.
> We do not want to establish a full trust between AD and IPA (at this
> stage).  This is for a number of reasons, but is primarily a
> reluctance to bring a very large and entirely irrelevant set of AD
> groups across to IPA-enrolled hosts.
>
> The IPA installation is running in a ‘winsync’ arrangement with AD,
> but as a convenience for the users it would be useful if a TGT from AD
> were sufficient to access services in the IPA realm, to save them
> having to ‘kinit' to another kerberos realm.
>
> So I’m interested in establishing a trust at the Kerberos level only.
> We have done this successfully between a legacy MIT kerberos service
> and IPA, so I hoped we could also set one up between AD and IPA,
> before running into the error I described.
>
> Any clues as to what the reason for the ‘HANDLE_AUTHDATA’ error might be?

For context, the full error is:

    kvno: KDC returned error string: HANDLE_AUTHDATA while getting credentials for host/palladium1.localdomain at PALLAS.LOCALREALM

Anyway, first step is to check the KDC logs (since that's who generated
the error) - there's possibly more information there.

Thanks,
--Robbie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20200616/3c692349/attachment.bin


More information about the Kerberos mailing list