Hi All. We have an IPA installation in a ‘winsync’ agreement with our AD. We do not (at this stage) want to move this to a full trust, but it would be useful for our users if there were a trust between the two systems at the *Kerberos* level. That way, user desktop TGTs from AD could be used to access Linux servers enrolled in the IPA domain seamlessly, without needing to maintain two separate identities. (We have previously used such a configuration successfully between IPA and a legacy MIT kerberos service).
I followed some (non-IPA related) steps for setting up Kerberos trusts between AD and MIT Kerberos - essentially creating a common TGT principal in both systems with a common password. This works to a point (ie. I can get the TGT for IPA using the AD TGT), but when I try to fetch a service ticket in the IPA domain I get a ‘HANDLE_AUTHDATA’ error. Here is what I’m seeing: (AD domain = ‘STAFF.LOCALREALM'; IPA domain = ‘PALLAS.LOCALREALM') # Get AD TGT: Password for [email protected]: XXXXXXXXX $ klist Ticket cache: KEYRING:persistent:10846:10846 Default principal: [email protected] Valid starting Expires Service principal 11/06/20 13:34:19 11/06/20 23:34:19 krbtgt/[email protected] renew until 12/06/20 13:34:18 # Use AD TGT to get an IPA TGT: $ kvno krbtgt/[email protected] krbtgt/[email protected]: kvno = 0 $ klist Ticket cache: KEYRING:persistent:10846:10846 Default principal: [email protected] Valid starting Expires Service principal 11/06/20 13:34:24 11/06/20 23:34:19 krbtgt/[email protected] renew until 12/06/20 13:34:18 11/06/20 13:34:19 11/06/20 23:34:19 krbtgt/[email protected] renew until 12/06/20 13:34:18 # Try to fetch an IPA service ticket: $ kvno host/[email protected] kvno: KDC returned error string: HANDLE_AUTHDATA while getting credentials for host/[email protected] Can anyone provide some idea as to what’s going on here and how I resolve this? I don’t really know what ‘HANDLE_AUTHDATA’ indicates and I’m not able to find a lot of documentation explaining this. Thanks! Robert. _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
