[Freeipa-devel] [PATCH] [WIP] Cross-realm trusts with AD

Alexander Bokovoy abokovoy at redhat.com
Tue Mar 13 12:56:30 UTC 2012 

On Tue, 13 Mar 2012, Dmitri Pal wrote:
> On 03/13/2012 07:26 AM, Alexander Bokovoy wrote:
> > Hi,
> >
> > at 
> > http://fedorapeople.org/gitweb?p=abbra/public_git/freeipa.git;a=shortlog;h=refs/heads/adwork 
> > one can find current state of AD trusts work.
> >
> > This tree introduces 'ipa trust-*' family of commands and 
> > freeipa-server-trust-ad package to pull-in additional dependencies 
> > after install in order to make 'ipa trust-add-ad' working.
> >
> > You'll need samba4-4.0.0-102alpha18 from ipa-devel repository to get 
> > trusts working. There are dragons, however, so beware of possible 
> > issues:
> >
> > 1. Make sure you have set up properly domain forwarder to your Active 
> > Directory DNS server so that SRV records resolving would work from IPA 
> > server side.
> >
> > One can do it with a simple configuration in BIND, for example:
> > zone "ad.local" {
> > 	type forward;
> > 	forward only;
> > 	forwarders { 192.168.111.207; };
> > 	check-names ignore;
> > };
> >
> > You'd need to do the same on Windows side as well.
> >
> > 2. samba4 4.0.0-102alpha18 has one minor bug in systemd service 
> > (https://fedorahosted.org/freeipa/ticket/2523), you'd need to add
> >
> > ExecStartPre=/bin/mkdir -p /run/samba
> >
> > before ExecStart= stanza to get it working with tmpfs-based /run in 
> > Fedora 17.
> >
> > 3. Once everything is ready, one needs to run ipa-adtrust-install to 
> > set up our domain and Samba configuration.
> >
> >    ipa-adtrust-install
> >
> > Answer its questions (defaults are fine) and after it has finished, 
> > there should be smbd processes running.
> >
> > 4. kinit again to re-generate your ticket with MS PAC included.
> >
> > 5. There is issue in MIT kerberos related to s4u2proxy handling of MS 
> > PAC data when comparing the principals. This issue essentially forbids 
> > using s4u2proxy functionality with IPA as soon as kerberos ticket 
> > contains MS PAC. To get around, one need to always specify --delegate 
> > option to 'ipa' command.
> >
> 
> What is our plan to address this issue?
> The workaround does not seem to be good enough for a release.
Simo works on https://fedorahosted.org/freeipa/ticket/2504 for this 
sprint.

-- 
/ Alexander Bokovoy

More information about the Freeipa-devel mailing list