[Freeipa-devel] [PATCH] [WIP] Cross-realm trusts with AD
Alexander Bokovoy
abokovoy at redhat.com
Tue Mar 13 12:56:30 UTC 2012
On Tue, 13 Mar 2012, Dmitri Pal wrote:
> On 03/13/2012 07:26 AM, Alexander Bokovoy wrote:
> > Hi,
> >
> > at
> > http://fedorapeople.org/gitweb?p=abbra/public_git/freeipa.git;a=shortlog;h=refs/heads/adwork
> > one can find current state of AD trusts work.
> >
> > This tree introduces 'ipa trust-*' family of commands and
> > freeipa-server-trust-ad package to pull-in additional dependencies
> > after install in order to make 'ipa trust-add-ad' working.
> >
> > You'll need samba4-4.0.0-102alpha18 from ipa-devel repository to get
> > trusts working. There are dragons, however, so beware of possible
> > issues:
> >
> > 1. Make sure you have set up properly domain forwarder to your Active
> > Directory DNS server so that SRV records resolving would work from IPA
> > server side.
> >
> > One can do it with a simple configuration in BIND, for example:
> > zone "ad.local" {
> > type forward;
> > forward only;
> > forwarders { 192.168.111.207; };
> > check-names ignore;
> > };
> >
> > You'd need to do the same on Windows side as well.
> >
> > 2. samba4 4.0.0-102alpha18 has one minor bug in systemd service
> > (https://fedorahosted.org/freeipa/ticket/2523), you'd need to add
> >
> > ExecStartPre=/bin/mkdir -p /run/samba
> >
> > before ExecStart= stanza to get it working with tmpfs-based /run in
> > Fedora 17.
> >
> > 3. Once everything is ready, one needs to run ipa-adtrust-install to
> > set up our domain and Samba configuration.
> >
> > ipa-adtrust-install
> >
> > Answer its questions (defaults are fine) and after it has finished,
> > there should be smbd processes running.
> >
> > 4. kinit again to re-generate your ticket with MS PAC included.
> >
> > 5. There is issue in MIT kerberos related to s4u2proxy handling of MS
> > PAC data when comparing the principals. This issue essentially forbids
> > using s4u2proxy functionality with IPA as soon as kerberos ticket
> > contains MS PAC. To get around, one need to always specify --delegate
> > option to 'ipa' command.
> >
>
> What is our plan to address this issue?
> The workaround does not seem to be good enough for a release.
Simo works on https://fedorahosted.org/freeipa/ticket/2504 for this
sprint.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list