[Freeipa-users] Cross-Realm authentification
Petr Spacek
pspacek at redhat.com
Fri Dec 5 14:24:45 UTC 2014
On 5.12.2014 15:21, Andreas Ladanyi wrote:
> Am 05.12.2014 um 14:04 schrieb Alexander Bokovoy:
>>
>>>>>
>>>> Ok, i see one difference: i didnt use the "-requires_preauth" flag. Why
>>>> did you use them ?
>>> Because this is recommended by MIT documentation. The link between
>>> realms has to be protected well, including preauth and good passwords
>>> for the cross-realm principals.
>>>
>>>
>>>> Is it possible or a good idea to add my trust domain, which isnt a AD
>>>> domain, manualy to IPA 3.3 ?
>>> Well, you can hack of course, that's up to you. I haven't checked that
>>> myself and cannot give you definitive answer on this path, though.
> At this time i havent an idea off the steps in detail how to do that.
>>>
>>>>>
>>>>>
>>>>> We may reconsider this check and instead of KRB5KRB_AP_ERR_ILL_CR_TKT
>>>>> return KRB5_PLUGIN_NO_HANDLE to allow fallback to krb5.conf-defined
>>>>> capaths but I remember we had some issues with krb5 versions prior to
>>>>> 1.12 where capaths from krb5.conf were blocking work of the DAL
>>>>> driver.
>>>> I use MIT Kerberos 1.6 from OpenCSW on Solaris and FreeIPA 3.3.5. So
>>>> this shouldnt be a problem ?!
> Sorry i made a little typing mistake. The foreign realm ist MIT Kerberos
> 1.9.2 and not 1.6
>>> 1.6 does not support cross-realm communication as support for RFC6806
>>> was added only in 1.7. So I don't think your setup would have any chance
>>> to work at all.
>> Hm.. on the other hand, 1.6 documentation talks about it:
>> http://web.mit.edu/kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Cross_002drealm-Authentication
>>
>> So may be their changelogs aren't as complete as they should be. :)
>>
>> With the link above you can also see with disabling preauth on the
>> cross-realm krbtgt records is recommended.
>>
>> But I think most of your issues were because of the 88 port not being
>> available and no other means to traverse firewall were configured.
> I will look particular for that.
>
> There is no firewall between the two KDCs.
>
>> That
>> is, aside from the fact that IPA will reject cross-realm tickets because
>> of how we programmed DAL driver as I explained above.
>
>
> I dont know in detail what DAL is doing.
>
> OK, it sounds like with IPA my setup wont be very easy :-)
I guess that Alexander or Simo could point you to the line in the source code
you have to change (or send you one-line patch?) but you will have to
recompile the driver from source.
Do you want to try this way?
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list