[Freeipa-users] freeipa-freeipa trust relationship
Alexander Bokovoy
abokovoy at redhat.com
Mon Dec 1 22:08:15 UTC 2014
On Mon, 01 Dec 2014, Nicolas Zin wrote:
>
>
>> ----- Mail original -----
>> De: "Alexander Bokovoy" <abokovoy at redhat.com>
>> À: "Nicolas Zin" <nicolas.zin at savoirfairelinux.com>
>> Cc: freeipa-users at redhat.com
>> Envoyé: Lundi 1 Décembre 2014 19:28:20
>> Objet: Re: [Freeipa-users] freeipa-freeipa trust relationship
>>
>> On Mon, 01 Dec 2014, Nicolas Zin wrote:
>> >Hi,
>> >
>> >I know that it is possible to connect a FreeIPA/idm to an Active
>> >Directory forest.
>> >
>> >But is there a way to have a relationship between 2 freeipa domains,
>> >and if yes, is there any documentation.
>> Not implemented yet.
>
>
>So even "manually" it is not possible? like following
>https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/Setting_Up_Cross_Realm_Authentication.html
>?
That one is only covering a 'generic' Kerberos realm trust, not
specifically applied to FreeIPA.
>
>So far, I tried to:
>kadmin.local -x ipa-setup-override-restrictions -r A.EXAMPLE.COM
> add_principal krbtgt/B.EXAMPLE.COM at A.EXAMPLE.COM
>
>kadmin.local -x ipa-setup-override-restrictions -r B.EXAMPLE.COM
> add_principal krbtgt/A.EXAMPLE.COM at B.EXAMPLE.COM
>
>edit /etc/krb5.conf to add element in sections [realms], [domain_realm]
>and [capaths]
>
>and add a file into /var/lib/sss/pubconf/kdcinfo.B.EXAMPLE.COM (and
>/var/lib/sss/pubconf/kdcinfo.A.EXAMPLE.COM). Yes this is ugly.
>
>I manage to kinit user1 at B.EXAMPLE.COM from A.EXAMPLE.COM and with this
>credential to ssh to the other host.
>
>But I don't manage to do it transparently (i.e. ssh B.EXAMPLE.COM -l
>userA at A.EXAMPLE.COM with the good passord, or better: without password)
>
>I guess this is not implemented in sssd and this is the problem I face?
Yes, SSSD doesn't know that A.EXAMPLE.COM is a 'subdomain of
B.EXAMPLE.COM (this is how we manage all trusts), thus doesn't know how
to resolve users/groups from that realm and how to assign them POSIX
attributes locally.
Our approach is to get FreeIPA/AD trust case finished first and then
reuse as much as possible for FreeIPA/FreeIPA trust case. We anyway
would have to implement most of the same functionality -- ID range
handling, POSIX attributes management, caching of group membership
(MS-PAC or UNIX-PAD extensions in Kerberos tickets), discovery of forest
topology and so on.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list