[Freeipa-users] mod_auth_krb issues with AD trust
John Meyers
john+freeipa at themeyers.us
Thu May 26 16:06:38 UTC 2016
All,
I have two-way trust established between IPA.DOMAIN.COM and
AD.DOMAIN.COM. The users are sync'ed via a replication agreement and
password sync so user at IPA.DOMAIN.COM is the same person as
user at AD.DOMAIN.COM.
With "KrbLocalUserMapping On" in the Apache config, everything works
great for users in the IPA domain. The realm is properly stripped off
and the end applications work very well with IPA.
However, if a user from the AD domain authenticates, mod_auth_krb does
not strip off the realm and returns "krb5_aname_to_localname() failed:
Supplied data not handled by this plugin", passing the untouched string
to the end application which promptly chokes on it. I tried adding
AD.DOMAIN.COM to "KrbAuthRealms" in the Apache configuration. That
didn't do it. Then I tried adding "auth_to_local =
RULE:[1:$1@$0](^.*@AD\.DOMAIN\.COM)s/@.*//" to /etc/krb5.conf under the
IPA realm. That STILL didn't do it and that is about the end of my
knowledge on kerberos realm mapping and stripping.
Any help would be appreciated.
John
More information about the Freeipa-users
mailing list