[Freeipa-users] freeipa-freeipa trust relationship
Nicolas Zin
nicolas.zin at savoirfairelinux.com
Mon Dec 1 21:54:36 UTC 2014
> ----- Mail original -----
> De: "Alexander Bokovoy" <abokovoy at redhat.com>
> À: "Nicolas Zin" <nicolas.zin at savoirfairelinux.com>
> Cc: freeipa-users at redhat.com
> Envoyé: Lundi 1 Décembre 2014 19:28:20
> Objet: Re: [Freeipa-users] freeipa-freeipa trust relationship
>
> On Mon, 01 Dec 2014, Nicolas Zin wrote:
> >Hi,
> >
> >I know that it is possible to connect a FreeIPA/idm to an Active
> >Directory forest.
> >
> >But is there a way to have a relationship between 2 freeipa domains,
> >and if yes, is there any documentation.
> Not implemented yet.
So even "manually" it is not possible? like following https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/Setting_Up_Cross_Realm_Authentication.html ?
So far, I tried to:
kadmin.local -x ipa-setup-override-restrictions -r A.EXAMPLE.COM
add_principal krbtgt/B.EXAMPLE.COM at A.EXAMPLE.COM
kadmin.local -x ipa-setup-override-restrictions -r B.EXAMPLE.COM
add_principal krbtgt/A.EXAMPLE.COM at B.EXAMPLE.COM
edit /etc/krb5.conf to add element in sections [realms], [domain_realm] and [capaths]
and add a file into /var/lib/sss/pubconf/kdcinfo.B.EXAMPLE.COM (and /var/lib/sss/pubconf/kdcinfo.A.EXAMPLE.COM). Yes this is ugly.
I manage to kinit user1 at B.EXAMPLE.COM from A.EXAMPLE.COM and with this credential to ssh to the other host.
But I don't manage to do it transparently (i.e. ssh B.EXAMPLE.COM -l userA at A.EXAMPLE.COM with the good passord, or better: without password)
I guess this is not implemented in sssd and this is the problem I face?
Regards,
Nicolas
More information about the Freeipa-users
mailing list