[Freeipa-users] Trust between IPA and another MIT Kerberos Realm
Matt Bryant
matthew.bryant at melbourneit.com.au
Wed Nov 27 23:48:19 UTC 2013
Simo,
Thanks for that .. using that switch the principle is now created on to
see it it works as expected ..
rgds
Matt B.
On 11/28/2013 09:10 AM, Simo Sorce wrote:
> On Thu, 2013-11-28 at 08:29 +1000, Matt Bryant wrote:
>> Simo,
>>
>> Have added the following into bugzilla ..
>>
>> Bug 1035494 has been added to the database
>>
>> seems strange but whilst listprincs/getprinc works getpols and the
>> addprinc (at least in this use case) doesnt...
> addprinc not working for normal user principals is expected, we block it
> to prevent the creation of incomplete user accounts.
>
> I think getpols is also expected to fail as we use IPA specific
> policies.
>
> However it should allow you to create krbtgt/OLD-REALM at IPA-REALM to set
> up trusts until we provide an explicit command for it. This is why I
> wanted you to open a bug on that.
>
>> ie
>> kadmin.local: add_principal -pw XXXXXXX krbtgt/OLD-REALM at IPA-REALM
>> WARNING: no policy specified for krbtgt/OLD-REALM at IPA-REALM;
>> defaulting to no policy
>> add_principal: Invalid argument while creating
>> "krbtgt/OLD-REALM at IPA-REALM".
> Now that I think of it, there is an undocumented switch that will allow
> you to create an arbitrary principal. This switch should NEVER be used
> to create user principals or normal host principals, however it should
> allow you to workaround the issue until we can fix the kadmin interface.
>
> Use kadmin.local -x ipa-setup-override-restrictions
>
> But please use it exclusively to create the krbtgt/REALM1 at REALM2
> principals and nothing else.
>
> Simo.
>
More information about the Freeipa-users
mailing list