[Freeipa-users] clarification regarding krb5.conf file
Dmitri Pal
dpal at redhat.com
Wed Jan 7 20:46:09 UTC 2015
On 01/07/2015 06:36 AM, Ben .T.George wrote:
> HI
>
> If i check IPA client machine enrolled with ipa-client, the krb5.conf
> file looks like below:
>
> [root at kwttestmrbs001 krb5.include.d]# more /etc/krb5.conf
> #File modified by ipa-client-install
>
> includedir /var/lib/sss/pubconf/krb5.include.d/
>
> [libdefaults]
> default_realm = SOLIPA.LOCAL
> dns_lookup_realm = true
> dns_lookup_kdc = true
> rdns = false
> ticket_lifetime = 24h
> forwardable = yes
>
> [realms]
> SOLIPA.LOCAL = {
> pkinit_anchors = FILE:/etc/ipa/ca.crt
> }
>
> [domain_realm]
> .solipa.local = SOLIPA.LOCAL
> solipa.local = SOLIPA.LOCAL
>
>
> and the includedir /var/lib/sss/pubconf/krb5.include.d/ is including :
>
> [root at kwttestmrbs001 krb5.include.d]# more domain_realm_solipa_local
> [domain_realm]
> .kwttestdc.com <http://kwttestdc.com> = KWTTESTDC.COM
> <http://KWTTESTDC.COM>
> kwttestdc.com <http://kwttestdc.com> = KWTTESTDC.COM
> <http://KWTTESTDC.COM>
>
>
> anyone please help me to prepare proper krb5.conf file for solaris box
>
> IPA Server is : kwtpocpbis01.solipa.local
> Solaris (client) : kwttestsolaris10.solipa.local
> Active Directory: kwttestdc001.kwttestdc.com
> <http://kwttestdc001.kwttestdc.com>
>
>
> Regards,
> Ben
>
> On Wed, Jan 7, 2015 at 2:11 PM, Ben .T.George <bentech4you at gmail.com
> <mailto:bentech4you at gmail.com>> wrote:
>
> Hi List
>
> correct me if i am wrong.
>
> currently my client krb5.conf holding AD details. and my client is
> Solaris
>
> here is my file.
>
> bash-3.2# more /etc/krb5/krb5.conf
> [libdefaults]
> default_realm = KWTTESTDC.COM <http://KWTTESTDC.COM>
>
> [realms]
> KWTTESTDC.COM <http://KWTTESTDC.COM> = {
> kdc = kwttestdc001.kwttestdc.com:88
> <http://kwttestdc001.kwttestdc.com:88>
> admin_server = kwttestdc001.kwttestdc.com:749
> <http://kwttestdc001.kwttestdc.com:749>
> }
>
> [domain_realm]
> .kwttestdc.com <http://kwttestdc.com> = KWTTESTDC.COM
> <http://KWTTESTDC.COM>
> kwttestdc.com <http://kwttestdc.com> = KWTTESTDC.COM
> <http://KWTTESTDC.COM>
>
> [logging]
> default = FILE:/var/krb5/kdc.log
> kdc = FILE:/var/krb5/kdc.log
> kdc_rotate = {
> period = 1d
> versions = 10
> }
>
> [appdefaults]
> kinit = {
> renewable = true
> forwardable= true
> }
>
>
> please anyone varify this is right or wrong
>
> Regards,
> Ben
>
>
>
>
>
OK, there seems to be a confusion at least on my side.
I see several option in this situation.
Option 1: You use your Solaris box with AD directly.
I do not think this is what you are trying to do. AFAIR you are trying
to connect it to IPA and use trusts. But direct connection should be
possible.
Option 2: Connect Solaris to IPA while it is in trust with AD
In this case you need to use LDAP for authentication and identity lookup
and point your client to compat tree. You can't use Kerberos. Kerberos
on Solaris does not know anything about the trust. If you make it use
Kerberos from IPA then you would be able to use only users from IPA. If
you need to use kerberos then we return to option 1.
Option 3. Create a split brain configuration: authentication using
kerberos will go to AD directly while identity will come from IPA's
compat tree.
This is potentially possible but this is an uncharted and not
recommended territory.
Option 4: Try to build SSSD for Solaris.
If it were easy we would have done it ourselves but patches are always
welcome . :-)
Option 5: Stop using Solaris.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150107/e2f05f2e/attachment.htm>
More information about the Freeipa-users
mailing list