We have forest with two domains, full trust is configured, let it be 'domain1' and 'domain2'.
ERA server krb.conf:
[root@era Server]# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
default = SYSLOG:INFO:DAEMON
kdc = SYSLOG:INFO:DAEMON
admin_server = SYSLOG:INFO:DAEMON
[libdefaults]
default_realm = DOMAIN2
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
DOMAIN2 = {
kdc = dc.domain2
admin_server = dc.domain2
}
DOMAIN1 = {
kdc = dc.domain1
}
[domain_realm]
.domain2 = DOMAIN2
domain2 = DOMAIN2
.domain1 = DOMAIN1
domain1 = DOMAIN1
Of cause "domain1" is something like "domain1.local" and "domain2" like "domain2.local".
All synchronizing tasks are working, we get all computers and OUs from ADs into static groups.
In Access Rights configured DOMAIN1\ESET_admins and DOMAIN2\ESET_admins groups, so we can login using DOMAIN1 and DOMAIN2 users in that groups.
Problems start when i'm trying to deploy remotely agents to PCs in DOMAIN1.
As we can see default_realm in krb5.conf is DOMAIN2. So when i'm deploying agents to DOMAIN2 PCs it's working like a charm.
But when i'm trying to deploy agent to PCs in DOMAIN1 it finishes with error.
In trace.log i see that ERA can connect and copy tmp files to ADMIN$ share, but everything crashing on 'net rpc service'.
Command is looking like 'net -i -k rpc service delete eset-remote-installer -W DOMAIN1 -U admin4 -S pc.domain1' and error is 'Failed to open Service Control Manager. [WERR_ACCESS_DENIED]'.
I tried to run it from shell and got very strange behaviour:
1) when i'm running command 'net -i -k rpc service delete eset-remote-installer -W DOMAIN1 -U admin4 -S pc.domain1' in PC Event Viewer Security logs i see connection from DOMAIN2\admin4, not from DOMAIN1!!!!
2) when i'm running command using nor FQDN computer name but IP everything is working: 'net -i -k rpc service delete eset-remote-installer -W DOMAIN1 -U admin4 -S 10.0.0.1' : Failed to open service. [WERR_NO_SUCH_SERVICE] and in Event Viewer i see connection with DOMAIN1\admin4 login.
I'm not guru in linux, so i am a little bit confused on this.
Is this a problem with configuration of AD authorization, or this is a some bug?
And what we can do with this?
We have about 1200 workstations in company network and we are planning to migrate from ERA5 to ERA6.