this week I tried to establish a trust relationship between freeipa v2
and a samba 4 domain. In that setup most workstations live in the samba
4 domain and most servers in the freeIPA domain so I am mainly
interested in having windows being able to authenticate to the linux

First I set up the kerberos 5 trust from the "AD Domains and Trusts"
control panel, then using kadmin.local I added the proper principals to
the kerberos database in freeIPA (krbtgt/IPA.CORPFBK@WIN.CORPFBK and

Second I added a sasl mapping to 389 DS to have windows users mapped one
to one to IPA users:

dn: cn=zz,cn=mapping,cn=sasl,cn=config
objectClass: top
objectClass: nsSaslMapping
nsSaslMapRegexString: \(.*\)@WIN.CORPFBK
cn: zz
nsSaslMapBaseDNTemplate: dc=ipa,dc=corpfbk
nsSaslMapFilterTemplate: (krbPrincipalName=\1@IPA.CORPFBK)

And... everything worked beautifully! I can obtain a ticket from samba 4
and use it to browse 389DS or connect via ssh to a Linux server.

Ok this is all well with services that just need to authenticate a user
and then don't care with the realm part of the username, but it is not
enough with services that use the complete principal to gather group
membership of the users, I'm thinking of squid_kerb_auth +
squid_ldap_group or mod_auth_kerb + mod_authzn_ldap.

To have the trust relationship work with these services I should store
the samba4 user complete principal name in some attribute of the
corresponding freeIPA user. What would be the proper attribute?

Thanks in advance.

Loris Santamaria   linux user #70506   xmpp:lo...@lgs.com.ve
Links Global Services, C.A.            http://www.lgs.com.ve
Tel: 0286 952.06.87  Cel: 0414 095.00.10  sip:1...@lgs.com.ve
-O9 -omg-optimize -fomit-instructions

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Freeipa-devel mailing list

Reply via email to