[Freeipa-users] using AD token to get freeipa token

Stijn De Weirdt stijn.deweirdt at ugent.be
Fri Jul 11 14:24:23 UTC 2014


hi simon,

ok, that's pity. the problem we are trying to solve is teh following: we 
are going to setup a new krb5 realm with IPA and we would like to 
explore methods to have our users authenticate against this realm (well, 
the kinit otherusername at IPA part) using methods that existing/available 
for our users. i.e. we would really really like to avoid that our users 
have to create yet another password.

the users currently are in AD, so we tought we could use the AD tokens 
to authenticate, avoiding passwords.

maybe i should rephrase my original question a bit:
what authentication schemes does kinit support (is there anything 
besides using a password), and if passwords are unavoidable, is it 
possible to use something like OTP with kinit and IPA (the user somehow 
gets the OTP, and can use that for kinit with an IPA controlled realm)?
(maybe it is possible that the password verification step from IPA is 
handed over to AD somehow?).

anyway, hints are welcome

stijn

On 07/09/2014 11:23 PM, Simo Sorce wrote:
> On Wed, 2014-07-09 at 18:38 +0200, Stijn De Weirdt wrote:
>> hi all,
>>
>> we are investigating the possibility to use an existing and valid AD
>> token to obtain a token from a realm under FreeIPA (3.3.3 from el7),
>> without having to setup the full IPA AD cross realm trust. (in
>> particular, to avoid that AD has to trust the IPA setup; and with the
>> goal that we can minimise any required actions on the AD setup).
>>
>> what we would like to achieve is the following:
>> kinit user at AD
>> --- authenticate via AD password
>>
>> kinit otherusername at IPA
>> -- no password required, authentication based on valid AD token
>>
>> so one can then eg "ssh otherusername at machine.under.ipa.control"
>>
>> the user at AD to otherusername at IPA mapping is provided somewhere on the
>> IPA server and is static.
>>
>> as far as i understood, this is (very?) different from actual trust
>> relation where having the user at AD token is sufficient to do "ssh
>> otherusername at machine.under.ipa.control".
>>
>>
>> any hints are welcome!
>
> It's not possible*, sorry.
>
> Simo.
>
> * At the very theoretical level it would, but it would require extensive
> changes to the kerberos libraries on each client as well as changes to
> the KDC. Operationally unfeasible even if you had those code changes.
>




More information about the Freeipa-users mailing list