[Freeipa-users] Cross realm authentication
Dan Scott
danieljamesscott at gmail.com
Fri Dec 18 17:31:44 UTC 2009
Hi,
Is there any documentation for adding cross realm authentication with FreeIPA?
I have two FreeIPA realms:
A.EXAMPLE.COM
C.B.EXAMPLE.COM
Following the Fedora krb5-server documentation:
http://docs.fedoraproject.org/security-guide/f11/en-US/sect-Security_Guide-Kerberos-Setting_Up_Cross_Realm_Authentication.html
I have added these principals to both FreeIPA servers:
krbtgt/C.B.EXAMPLE.COM at A.EXAMPLE.COM
(I see the warning in the FreeIPA documentation about avoiding the use
of kadmin and kadmin.local - I can remove these principals if
necessary).
There are master and replicated FreeIPA servers in both realms and
they have the required ports open at the firewalls (both directions)
http://freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/sect-Installation_and_Deployment_Guide-Preparing_for_an_IPA_Installation-Required_Ports.html
So clients in A.EXAMPLE.COM should be able to authenticate to
C.B.EXAMPLE.COM, but not the other way around (This is how I would
like it setup).
However, this does not appear to work. I assume that I need to add
some entries to the LDAP server as well? Does anyone know if this is
true and if so, how I should go about it?
Thanks,
Dan Scott
http://danieljamesscott.org
More information about the Freeipa-users
mailing list