[Freeipa-users] mod_auth_krb issues with AD trust
Alexander Bokovoy
abokovoy at redhat.com
Thu May 26 16:20:22 UTC 2016
On Thu, 26 May 2016, John Meyers wrote:
>All,
>
>I have two-way trust established between IPA.DOMAIN.COM and
>AD.DOMAIN.COM. The users are sync'ed via a replication agreement and
>password sync so user at IPA.DOMAIN.COM is the same person as
>user at AD.DOMAIN.COM.
Trust doesn't use synchronization. Your AD users are not IPA users and
will never be with trust.
>With "KrbLocalUserMapping On" in the Apache config, everything works
>great for users in the IPA domain. The realm is properly stripped off
>and the end applications work very well with IPA.
>
>However, if a user from the AD domain authenticates, mod_auth_krb does
>not strip off the realm and returns "krb5_aname_to_localname() failed:
>Supplied data not handled by this plugin", passing the untouched string
>to the end application which promptly chokes on it. I tried adding
>AD.DOMAIN.COM to "KrbAuthRealms" in the Apache configuration. That
>didn't do it. Then I tried adding "auth_to_local =
>RULE:[1:$1@$0](^.*@AD\.DOMAIN\.COM)s/@.*//" to /etc/krb5.conf under the
>IPA realm. That STILL didn't do it and that is about the end of my
>knowledge on kerberos realm mapping and stripping.
>
>Any help would be appreciated.
SSSD on RHEL 7.x and Fedora 22+ provides a localauth plugin to Kerberos
that allows to map Kerberos principal to a user known by SSSD.
Effectively, user at AD.DOMAIN.COM principal would be mapped to
user at ad.domain.com by SSSD localauth plugin automatically and
aname_to_localname() should succeed.
mmod_auth_krb5 should work just fine with this setup if you remove
'KrbLocalUserMapping On" and would add all allowed realms to
KrbAuthRealms.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list