On 07.07.20 10:13, Alexander Bokovoy wrote: > On ti, 07 heinä 2020, Gerald Vogt via FreeIPA-users wrote: >> Hi! >> >> I am trying to get a kerberos realm to trust the ipa realm. I'm running >> ipa-server-4.6.6-11.el7 on a CentOS 7. It uses realm IPA.EXAMPLE.COM. >> >> I have another KDC on another CentOS 7 which has another realm >> KRB.EXAMPLE.COM with a legacy service connected. >> >> Now I would like all users of my IPA realm to use that legacy service. >> Thus I need the KRB realm to trust the IPA realm. I don't need the IPA >> realm to trust the KRB realm. >> >> For the KRB KDC I have no problem adding the necessary >> krbtgt/[email protected] principal with a password. >> >> However, everything I find about adding it to the IPA Kerberos involves >> kadmin.local which seems not to be supported anymore: >> >> kadmin.local: Cannot open DB2 database >> '/var/kerberos/krb5kdc/principal': No such file or directory while >> initializing kadmin.local interface > > The message above says that DB2 database driver is used by kadmin.local > instead of IPA one. Your /etc/krb5.conf should have: > > [dbmodules] > IPA.TEST = { > db_library = ipadb.so > }
Thanks. I have missed that. >> How do I add this principal correctly to my IPA kerberos? Is it >> possible? > > Kind of. Beware of dragons, of course. > > WARNING: this is not supported for mindless enablement. If you'd break > your system, it is all your fault. > > You need to use '-x ipa-setup-override-restrictions' to kadmin.local > when it uses ipadb module. > > Please note that FreeIPA expectation from trusted realms are stricter > than in a standard MIT KDC case. For example, if your trusted realm > produces PAC records in the tickets, these tickets will be rejected if > FreeIPA KDC cannot find corresponding trusted domain definition in IPA > LDAP. This, for example, is not possible right now for IPA-IPA trust. > > A non-AD-compatible Kerberos realm can be made trusted but that's about > it. If it has user principals that couldn't be mapped to IPA users, the > only thing that those principals would be able to do is to obtain > service tickets to IPA services. They would not exist on POSIX level, of > course, so none of POSIX-specific operations would work, including HBAC > rules. O.K. Now you have got me confused. I thought, all I needed was for my KRB realm to trust the IPA realm and not vice versa. Thus, all I needed was the principal in the IPA kerberos. I don't want the IPA realm to trust the KRB realm. Only the IPA users are supposed to access the KRB realm service using kerberos. It's my understanding that your remarks in your two last paragraphs don't apply here. Or am I missing something? Thx, Gerald _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
