[Freeipa-users] Cross-Realm authentification
Petr Spacek
pspacek at redhat.com
Thu Dec 4 16:46:02 UTC 2014
On 4.12.2014 17:27, Alexander Bokovoy wrote:
> On Thu, 04 Dec 2014, Petr Spacek wrote:
>> On 4.12.2014 16:58, Simo Sorce wrote:
>>> On Thu, 4 Dec 2014 13:22:01 +0200
>>> Alexander Bokovoy <abokovoy at redhat.com> wrote:
>>>
>>>> On Thu, 04 Dec 2014, Petr Spacek wrote:
>>>>>> And /var/log/krb5kdc.log on master.f21.test (KDC for F21.TEST) I
>>>>>> can see:
>>>>>> Dec 04 12:41:52 master.f21.test krb5kdc[1131](info): bad realm
>>>>>> transit path from 'admin at IPA5.TEST' to
>>>>>> 'host/master.f21.test at F21.TEST' via '' Dec 04 12:41:52
>>>>>> master.f21.test krb5kdc[1131](info): TGS_REQ (6 etypes {18 17 16
>>>>>> 23 25 26}) 192.168.5.109: BAD_TRANSIT: authtime 1417689777,
>>>>>> admin at IPA5.TEST for host/master.f21.test at F21.TEST, KDC policy
>>>>>> rejects request Dec 04 12:41:52 master.f21.test
>>>>>> krb5kdc[1131](info): bad realm transit path from 'admin at IPA5.TEST'
>>>>>> to 'host/master.f21.test at F21.TEST' via '' Dec 04 12:41:52
>>>>>> master.f21.test krb5kdc[1131](info): TGS_REQ (6 etypes {18 17 16
>>>>>> 23 25 26}) 192.168.5.109: BAD_TRANSIT: authtime 1417689777,
>>>>>> admin at IPA5.TEST for host/master.f21.test at F21.TEST, KDC policy
>>>>>> rejects request
>>>>>>
>>>>>> And this is correct for FreeIPA 3.3 or later because we limit
>>>>>> trust to those domains we defined in cn=ad,cn=trusts,$SUFFIX with
>>>>>> filter (objectclass=ipaNTTrustedDomain). For the rest we return
>>>>>> KRB5KRB_AP_ERR_ILL_CR_TKT error code which is visible as 'KDC
>>>>>> policy rejects request'.
>>>>>>
>>>>>>
>>>>>> We may reconsider this check and instead of
>>>>>> KRB5KRB_AP_ERR_ILL_CR_TKT return KRB5_PLUGIN_NO_HANDLE to allow
>>>>>> fallback to krb5.conf-defined capaths but I remember we had some
>>>>>> issues with krb5 versions prior to 1.12 where capaths from
>>>>>> krb5.conf were blocking work of the DAL driver.
>>>>>
>>>>> Alexander, could you open a ticket to prevent us from forgetting
>>>>> about it?
>>>> I'm not sure yet this is valid. For FreeIPA-FreeIPA trust we'll have a
>>>> separate solution and it will be along the lines of existing 'ipa
>>>> trust-add' workflow where existing DAL driver code will work as it is.
>>>
>>> I think we should have a way to relax this requirement, so that people
>>> like Andreas can play with kerberos level trusts.
>>
>> I agree.
> Ok, then please file a ticket for this.
> The change in the DAL driver will be a single line.
It would be better if you described the details in the ticket, but here it is:
https://fedorahosted.org/freeipa/ticket/4791
Please add missing information.
Have a nice weekend!
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list