[Freeipa-users] FreeIPA ActiveDirectory Integration, Fedora and Windows 2008 R2 AD: "ipa: ERROR: an internal error has occurred"

Alexander Bokovoy abokovoy at redhat.com
Sat Sep 13 16:03:54 UTC 2014 

On Sat, 13 Sep 2014, Traiano Welcome wrote:
>Hi
>
>I've managed to get trusts working with CentOS 7 as an IdM server, Win2K8R2
>AD DC and CentOS6.5 as a client, using the exact same series of steps as in
>the documentation. Attached is the process I used.
You got one step wrong:
============================================================================
8. Modify /etc/krb5.conf

[realms]
 ENGENEON.LOCAL = {
  kdc = idm003.engeneon.local:88
  master_kdc = idm003.engeneon.local:88
  admin_server = idm003.engeneon.local:749
  default_domain = engeneon.local
  pkinit_anchors = FILE:/etc/ipa/ca.crt
  auth_to_local = RULE:[1:$1@$0](^.*@AD_DOMAIN$)s/@AD_DOMAIN/@ad_domain/
  auth_to_local = DEFAULT
}
============================================================================

Here you have to substitute AD_DOMAIN and ad_domain by your actual
AD domain name. This change has to be done currently on every IPA
machine where you are expecting AD users to log in.

For each domain in the trusted AD forest, AD_DOMAIN should be its realm
and ad_domain should be the same in low-case as SSSD normalizes user
names to lower case. The rule tells Kerberos library how to transform a
Kerberos principal (thus REALM has to be upper case as it is required in
MIT Kerberos) to a POSIX user name (thus put domain name in lower case
as SSSD will normalize the user name). OpenSSH and some other software
actually checks that POSIX user name corresponds to the value Kerberos
library will return to OpenSSH daemon after running through
auth_to_local rules.

I.e., in your case it would be

   auth_to_local = RULE:[1:$1@$0](^.*@MHATEST.LOCAL$)s/@MHATEST.LOCAL/@mhatest.local/

and if you have multiple subdomains, there should be multiple rules like
this, each for the domain which users you want to be able to log in.
We are improving this in MIT Kerberos 1.12 and SSSD 1.12.1 where all
these rules will be replaced with a plugin that fetches list of domains
from IPA servers and automatically manage it. However, it is currently
not available in any released distribution.

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list