[Freeipa-users] Migrating to FreeIPA from an existing Heimdal Kerberos and 389-ds deployment
Petr Vobornik
pvoborni at redhat.com
Mon Jul 18 14:44:29 UTC 2016
On 07/18/2016 03:57 PM, Rob Crittenden wrote:
> Grant Wu wrote:
>> Thanks for the information. Do you know if there are any plans to
>> support cross-realm trust with general KDCs?
>
> https://fedorahosted.org/freeipa/ticket/4867
>
> rob
In general, IPA contains krb5 component which can be in theory
configured to trust other krb5 KDC. But this procedure is manual. IPA
doesn't provide any tooling to easy it and it is not tested therefore
not supported. The general Kerberos realm trust is not planned for any
upcoming release mostly because we don't see a big demand for it. Feel
free to cc yourself or add comment to
https://fedorahosted.org/freeipa/ticket/4917 It will raise the visible
demand.
Ticket 4867 is different, it is about IPA-IPA trusts where the scope is
more confined. It may or may not(more probable) allow the trust with
general KDC as a side effect. Demand for IPA-IPA trust is raising so it
is definitively on our radar and has a chance to be implemented in some
of upcoming releases.
For completeness, there is also a RFE to support IPA-SAMBA 4 DC trusts:
https://fedorahosted.org/freeipa/ticket/4866
--
Petr Vobornik
More information about the Freeipa-users
mailing list