[Freeipa-users] Cross-Realm authentification
Andreas Ladanyi
andreas.ladanyi at kit.edu
Fri Dec 5 14:21:01 UTC 2014
Am 05.12.2014 um 14:04 schrieb Alexander Bokovoy:
>
>>>>
>>> Ok, i see one difference: i didnt use the "-requires_preauth" flag. Why
>>> did you use them ?
>> Because this is recommended by MIT documentation. The link between
>> realms has to be protected well, including preauth and good passwords
>> for the cross-realm principals.
>>
>>
>>> Is it possible or a good idea to add my trust domain, which isnt a AD
>>> domain, manualy to IPA 3.3 ?
>> Well, you can hack of course, that's up to you. I haven't checked that
>> myself and cannot give you definitive answer on this path, though.
At this time i havent an idea off the steps in detail how to do that.
>>
>>>>
>>>>
>>>> We may reconsider this check and instead of KRB5KRB_AP_ERR_ILL_CR_TKT
>>>> return KRB5_PLUGIN_NO_HANDLE to allow fallback to krb5.conf-defined
>>>> capaths but I remember we had some issues with krb5 versions prior to
>>>> 1.12 where capaths from krb5.conf were blocking work of the DAL
>>>> driver.
>>> I use MIT Kerberos 1.6 from OpenCSW on Solaris and FreeIPA 3.3.5. So
>>> this shouldnt be a problem ?!
Sorry i made a little typing mistake. The foreign realm ist MIT Kerberos
1.9.2 and not 1.6
>> 1.6 does not support cross-realm communication as support for RFC6806
>> was added only in 1.7. So I don't think your setup would have any chance
>> to work at all.
> Hm.. on the other hand, 1.6 documentation talks about it:
> http://web.mit.edu/kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Cross_002drealm-Authentication
>
> So may be their changelogs aren't as complete as they should be. :)
>
> With the link above you can also see with disabling preauth on the
> cross-realm krbtgt records is recommended.
>
> But I think most of your issues were because of the 88 port not being
> available and no other means to traverse firewall were configured.
I will look particular for that.
There is no firewall between the two KDCs.
> That
> is, aside from the fact that IPA will reject cross-realm tickets because
> of how we programmed DAL driver as I explained above.
I dont know in detail what DAL is doing.
OK, it sounds like with IPA my setup wont be very easy :-)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5306 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141205/574576df/attachment.p7s>
More information about the Freeipa-users
mailing list