On ti, 07 heinä 2020, Gerald Vogt via FreeIPA-users wrote:
Hi!
I am trying to get a kerberos realm to trust the ipa realm. I'm running
ipa-server-4.6.6-11.el7 on a CentOS 7. It uses realm IPA.EXAMPLE.COM.
I have another KDC on another CentOS 7 which has another realm
KRB.EXAMPLE.COM with a legacy service connected.
Now I would like all users of my IPA realm to use that legacy service.
Thus I need the KRB realm to trust the IPA realm. I don't need the IPA
realm to trust the KRB realm.
For the KRB KDC I have no problem adding the necessary
krbtgt/krb.example....@ipa.example.com principal with a password.
However, everything I find about adding it to the IPA Kerberos involves
kadmin.local which seems not to be supported anymore:
kadmin.local: Cannot open DB2 database
'/var/kerberos/krb5kdc/principal': No such file or directory while
initializing kadmin.local interface
The message above says that DB2 database driver is used by kadmin.local
instead of IPA one. Your /etc/krb5.conf should have:
[dbmodules]
IPA.TEST = {
db_library = ipadb.so
}
How do I add this principal correctly to my IPA kerberos? Is it
possible?
Kind of. Beware of dragons, of course.
WARNING: this is not supported for mindless enablement. If you'd break
your system, it is all your fault.
You need to use '-x ipa-setup-override-restrictions' to kadmin.local
when it uses ipadb module.
Please note that FreeIPA expectation from trusted realms are stricter
than in a standard MIT KDC case. For example, if your trusted realm
produces PAC records in the tickets, these tickets will be rejected if
FreeIPA KDC cannot find corresponding trusted domain definition in IPA
LDAP. This, for example, is not possible right now for IPA-IPA trust.
A non-AD-compatible Kerberos realm can be made trusted but that's about
it. If it has user principals that couldn't be mapped to IPA users, the
only thing that those principals would be able to do is to obtain
service tickets to IPA services. They would not exist on POSIX level, of
course, so none of POSIX-specific operations would work, including HBAC
rules.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
