On Thu, 2011-06-23 at 08:32 -0430, Loris Santamaria wrote:
> Hi,
> this week I tried to establish a trust relationship between freeipa v2
> and a samba 4 domain. In that setup most workstations live in the samba
> 4 domain and most servers in the freeIPA domain so I am mainly
> interested in having windows being able to authenticate to the linux
> servers.
> First I set up the kerberos 5 trust from the "AD Domains and Trusts"
> control panel, then using kadmin.local I added the proper principals to
> the kerberos database in freeIPA (krbtgt/IPA.CORPFBK@WIN.CORPFBK and
> Second I added a sasl mapping to 389 DS to have windows users mapped one
> to one to IPA users:
> dn: cn=zz,cn=mapping,cn=sasl,cn=config
> objectClass: top
> objectClass: nsSaslMapping
> nsSaslMapRegexString: \(.*\)@WIN.CORPFBK
> cn: zz
> nsSaslMapBaseDNTemplate: dc=ipa,dc=corpfbk
> nsSaslMapFilterTemplate: (krbPrincipalName=\1@IPA.CORPFBK)
> And... everything worked beautifully! I can obtain a ticket from samba 4
> and use it to browse 389DS or connect via ssh to a Linux server.
> Ok this is all well with services that just need to authenticate a user
> and then don't care with the realm part of the username, but it is not
> enough with services that use the complete principal to gather group
> membership of the users, I'm thinking of squid_kerb_auth +
> squid_ldap_group or mod_auth_kerb + mod_authzn_ldap.
> To have the trust relationship work with these services I should store
> the samba4 user complete principal name in some attribute of the
> corresponding freeIPA user. What would be the proper attribute?
> krbPrincipalAliases? 
> Thanks in advance.

Hi Loris,
great work there.

We are actually starting working right now to support trust
relationships in FreeIPA, but we haven't attacked the problem of
representing user memberships for external accounts.

Given you are mapping krbPrincipalName to the IPA one you shouldn't need
to add anything else from the IPA point of view. When you log-in into
DirSrv your group memberships will be those of the user that has the
same name in IPA. The AD domain groups will not be seen at all of


Simo Sorce * Red Hat, Inc * New York

Freeipa-devel mailing list

Reply via email to