[Freeipa-users] Question on freeipa-server-trust-ad
Simo Sorce
simo at redhat.com
Sat Apr 4 13:39:16 UTC 2015
On Sat, 2015-04-04 at 01:07 -0400, Coy Hile wrote:
> Hi all,
>
> What purpose does this package serve? The way I’ve done Kerberos
> between Active Directory and AD, the trust was always one way
> (outgoing): the MIT realm is authoritative and AD “shadow accounts”
> were mapped to ‘real’ principals via the alternateSecurityID
> attribute. Looking at what freeipa-server-trust-ad installs, it
> appears the dependencies installed are around letting someone a
> bidirectional trust (or at least let the AD users be authoritative).
> If one wants to setup his trust in the way I described, all he really
> needs to do in MIT land is create
>
> krbtgt/AD.REALM at MIT.REALM
>
> in the MIT Realm.
>
> Is there a ‘supported’ way to do something similar with FreeIPA?
Not yet. https://fedorahosted.org/freeipa/ticket/4917
> Time to break out kadmin.local -x ipa-setup-override-restrictions?
You can do that, if you know what you are doing :)
> Or would that not drop the principal in the right place in the LDAP
> tree?
Yeah kadmin will create that entry under the cn=kerberos subtree, but
that is ok, the krbtgt principals are not users nor really services, so
keeping it in cn=kerberos for now it is fine.
However do not use kadmin.local to create actual user principals please.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list