[Freeipa-users] Cross domain trust

Alexander Bokovoy abokovoy at redhat.com
Thu Feb 6 18:36:04 UTC 2014 

On Thu, 06 Feb 2014, Steve Dainard wrote:
>On Thu, Feb 6, 2014 at 12:42 PM, Alexander Bokovoy <abokovoy at redhat.com>wrote:
>
>> On Thu, 06 Feb 2014, Steve Dainard wrote:
>>
>>>    In newer versions (FreeIPA 3.3+, SSSD 1.11+) this is done on IPA master
>>>>    automatically by setting       ipa_master_mode = True
>>>>
>>>>    On RHEL 6.x one needs to add the parameters manually.
>>>>
>>>> 2. /etc/krb5.conf has to contain auth_to_local rules that map AD
>>>>    principals to lower-cased versions because some applications (SSH)
>>>>    are very picky about user/principal name mapping. This has to be done
>>>>    on both IPA masters and IPA clients.
>>>>
>>>>
>>> This was done on the IPA server, but the RHEL 6.5 client doesn't have this
>>> file.
>>>
>>> On the IPA server:
>>>
>>> [realms]
>>> MIOLINUX.CORP = {
>>>  kdc = ipa1.miolinux.corp:88
>>>  master_kdc = ipa1.miolinux.corp:88
>>>  admin_server = ipa1.miolinux.corp:749
>>>  default_domain = miolinux.corp
>>>  pkinit_anchors = FILE:/etc/ipa/ca.crt
>>> auth_to_local = RULE:[1:$1@$0](^.*@MIOVISION$)s/@MIOVISION/@miovision/
>>> auth_to_local = DEFAULT
>>>
>>> [root at ipa1 ~]# kinit sdainard at miovision.corp
>>> Password for sdainard at miovision.corp:
>>> kinit: KDC reply did not match expectations while getting initial
>>> credentials
>>>
>> MIT Kerberos is case-sensitive for the realm, so it should always be
>>  kinit sdainard at MIOVISION.CORP
>>
>> make also sure that your rule above has proper realm. If your realm is
>> MIOVISION.CORP, then auth_to_local rule is
>>
>> auth_to_local = RULE:[1:$1@$0](^.*@MIOVISION.CORP$)s/@MIOVISION.CORP/@
>> miovision.corp/
>>
>
>OK that makes sense. I wasn't sure if it was NETBIOS or not. Changed.
It is realm, always, since krb5.conf rules deal with principal names.


>> In MIT Kerberos 1.13 we'll have an interface that will allow SSSD to
>> automatically generate (and supply) these rules. Prior to that we have
>> to have explicit configuration on all clients and servers.
>
>
>Excellent, do you work with whomever is maintaining the Ubuntu PPA on this
>as well? One of our dev teams is exclusively on Ubuntu 12.04 and I've had
>some serious issues with the joining clients from distro.
Talk to Timo Aaltonen (Canonical) who maintains FreeIPA bits in Ubuntu
(and Debian). I believe he is on the list.

In any way, MIT 1.13 will be due this year and for sure will not be
available on Ubuntu 12.04 so you'll need to make sure there is a
delivery process for configuration management at your site (puppet, etc)
that will distribute proper krb5.conf and sssd.conf changes.

>Done, sending logs outside of list.
>
>There are some communications errors. I dropped the firewall on the IPA
>server to test the last couple runs at 'getent passwd
>sdainard at MIOVISION.CORP'.
Ok, waiting.

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list