[Freeipa-devel] Trust relationship between IPA and samba4
Loris Santamaria
loris at lgs.com.ve
Thu Jun 23 13:02:40 UTC 2011
Hi,
this week I tried to establish a trust relationship between freeipa v2
and a samba 4 domain. In that setup most workstations live in the samba
4 domain and most servers in the freeIPA domain so I am mainly
interested in having windows being able to authenticate to the linux
servers.
First I set up the kerberos 5 trust from the "AD Domains and Trusts"
control panel, then using kadmin.local I added the proper principals to
the kerberos database in freeIPA (krbtgt/IPA.CORPFBK at WIN.CORPFBK and
krbtgt/WIN.CORPFBK at IPA.CORPFBK).
Second I added a sasl mapping to 389 DS to have windows users mapped one
to one to IPA users:
dn: cn=zz,cn=mapping,cn=sasl,cn=config
objectClass: top
objectClass: nsSaslMapping
nsSaslMapRegexString: \(.*\)@WIN.CORPFBK
cn: zz
nsSaslMapBaseDNTemplate: dc=ipa,dc=corpfbk
nsSaslMapFilterTemplate: (krbPrincipalName=\1 at IPA.CORPFBK)
And... everything worked beautifully! I can obtain a ticket from samba 4
and use it to browse 389DS or connect via ssh to a Linux server.
Ok this is all well with services that just need to authenticate a user
and then don't care with the realm part of the username, but it is not
enough with services that use the complete principal to gather group
membership of the users, I'm thinking of squid_kerb_auth +
squid_ldap_group or mod_auth_kerb + mod_authzn_ldap.
To have the trust relationship work with these services I should store
the samba4 user complete principal name in some attribute of the
corresponding freeIPA user. What would be the proper attribute?
krbPrincipalAliases?
Thanks in advance.
--
Loris Santamaria linux user #70506 xmpp:loris at lgs.com.ve
Links Global Services, C.A. http://www.lgs.com.ve
Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:103 at lgs.com.ve
------------------------------------------------------------
-O9 -omg-optimize -fomit-instructions
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5909 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110623/ae2782c1/attachment.bin>
More information about the Freeipa-devel
mailing list