[Freeipa-users] Cross-Realm authentification
Alexander Bokovoy
abokovoy at redhat.com
Thu Dec 4 11:22:01 UTC 2014
On Thu, 04 Dec 2014, Petr Spacek wrote:
>> And /var/log/krb5kdc.log on master.f21.test (KDC for F21.TEST) I can
>> see:
>> Dec 04 12:41:52 master.f21.test krb5kdc[1131](info): bad realm transit path
>> from 'admin at IPA5.TEST' to 'host/master.f21.test at F21.TEST' via ''
>> Dec 04 12:41:52 master.f21.test krb5kdc[1131](info): TGS_REQ (6 etypes {18 17
>> 16 23 25 26}) 192.168.5.109: BAD_TRANSIT: authtime 1417689777, admin at IPA5.TEST
>> for host/master.f21.test at F21.TEST, KDC policy rejects request
>> Dec 04 12:41:52 master.f21.test krb5kdc[1131](info): bad realm transit path
>> from 'admin at IPA5.TEST' to 'host/master.f21.test at F21.TEST' via ''
>> Dec 04 12:41:52 master.f21.test krb5kdc[1131](info): TGS_REQ (6 etypes {18 17
>> 16 23 25 26}) 192.168.5.109: BAD_TRANSIT: authtime 1417689777, admin at IPA5.TEST
>> for host/master.f21.test at F21.TEST, KDC policy rejects request
>>
>> And this is correct for FreeIPA 3.3 or later because we limit trust to
>> those domains we defined in cn=ad,cn=trusts,$SUFFIX with filter
>> (objectclass=ipaNTTrustedDomain). For the rest we return
>> KRB5KRB_AP_ERR_ILL_CR_TKT error code which is visible as 'KDC policy
>> rejects request'.
>>
>>
>> We may reconsider this check and instead of KRB5KRB_AP_ERR_ILL_CR_TKT
>> return KRB5_PLUGIN_NO_HANDLE to allow fallback to krb5.conf-defined
>> capaths but I remember we had some issues with krb5 versions prior to
>> 1.12 where capaths from krb5.conf were blocking work of the DAL driver.
>
>Alexander, could you open a ticket to prevent us from forgetting about it?
I'm not sure yet this is valid. For FreeIPA-FreeIPA trust we'll have a
separate solution and it will be along the lines of existing 'ipa trust-add'
workflow where existing DAL driver code will work as it is.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list