[Freeipa-users] Trust between IPA and another MIT Kerberos Realm
Matt Bryant
matthew.bryant at melbourneit.com.au
Wed Nov 27 05:24:49 UTC 2013
Hmm just upgraded to 3 so thought I woudl give it a go ... but (aint
there always one of those :() can't seem to add the principle ..
kadmin.local: add_principal krbtgt/OLD-REALM at IPA-REALM
WARNING: no policy specified for krbtgt/OLD-REALM at IPA-REALM; defaulting
to no policy
Enter password for principal "krbtgt/OLD-REALM at IPA-REALM":
Re-enter password for principal "krbtgt/OLD-REALM at IPA-REALM":
add_principal: Invalid argument while creating "krbtgt/OLD-REALM at IPA-REALM".
and nothing was placed in the kadmin log .. :(
rgds
Matt B.
On 11/27/2013 01:57 PM, Rob Crittenden wrote:
> Matt Bryant wrote:
>> All,
>>
>> Is there any documentation anywhere that describes whether this can be
>> done and how to do it ?? Would like to set up a one way trust between a
>> new IPA realm and a legacy kerberos realm. The doco explicitly says dont
>> use kadmin/kadmin.local so not sure how to get the
>> krbtgt/OLD_REALM at IPA-REALM principle into IPA that would facilitate such
>> a trust.
>
> We haven't implemented (or tested) this yet. It is just MIT Kerberos
> under-the-hood so in theory creating the right principals should do
> the trick.
>
> If you have IPA 3.0+ then you can use kadmin to create the principals
> you need. IIRC the RHEL Kerberos documentation is fairly good in this
> regard.
>
> rob
More information about the Freeipa-users
mailing list