Hi, this week I tried to establish a trust relationship between freeipa v2 and a samba 4 domain. In that setup most workstations live in the samba 4 domain and most servers in the freeIPA domain so I am mainly interested in having windows being able to authenticate to the linux servers.
First I set up the kerberos 5 trust from the "AD Domains and Trusts" control panel, then using kadmin.local I added the proper principals to the kerberos database in freeIPA (krbtgt/IPA.CORPFBK@WIN.CORPFBK and krbtgt/WIN.CORPFBK@IPA.CORPFBK). Second I added a sasl mapping to 389 DS to have windows users mapped one to one to IPA users: dn: cn=zz,cn=mapping,cn=sasl,cn=config objectClass: top objectClass: nsSaslMapping nsSaslMapRegexString: \(.*\)@WIN.CORPFBK cn: zz nsSaslMapBaseDNTemplate: dc=ipa,dc=corpfbk nsSaslMapFilterTemplate: (krbPrincipalName=\1@IPA.CORPFBK) And... everything worked beautifully! I can obtain a ticket from samba 4 and use it to browse 389DS or connect via ssh to a Linux server. Ok this is all well with services that just need to authenticate a user and then don't care with the realm part of the username, but it is not enough with services that use the complete principal to gather group membership of the users, I'm thinking of squid_kerb_auth + squid_ldap_group or mod_auth_kerb + mod_authzn_ldap. To have the trust relationship work with these services I should store the samba4 user complete principal name in some attribute of the corresponding freeIPA user. What would be the proper attribute? krbPrincipalAliases? Thanks in advance. -- Loris Santamaria linux user #70506 xmpp:lo...@lgs.com.ve Links Global Services, C.A. http://www.lgs.com.ve Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:1...@lgs.com.ve ------------------------------------------------------------ -O9 -omg-optimize -fomit-instructions
Description: S/MIME cryptographic signature
_______________________________________________ Freeipa-devel mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-devel