I know this is not officially supported. But I would still like to make it work.
We have a main IPA-Realm EXAMPLE.COM, and we have subdomain LAB.EXAMPLE.COM as another IPA-Eealm. We wan't a one-way trust-relationship from the LAB-realm to our main realm. I have testet this with two MIT-kerberos barebone KDCs, and I have been able to establish both one and two way trust between LAB.EXAMPLE.COM and a barebone MIT-realm. But for some reason I am not able to this between our main realm, and the lab realm. The krbtgt/-principial that establishes the trust is created in both realms with the following command: kadmin.local -e 'aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96' -q 'addprinc -requires_preauth krbtgt/[email protected]' -x ipa-setup-override-restrictions When I try to log into a service in the lab realm with a valid ticket in the trusted domain via SSH (which work nicely with IPA and the barebone MIT setup), i just keep getting a "HANDLE_AUTHDATA"-error, which I just find briefly mentioned in a few posts online: debug1: Unspecified GSS failure. Minor code may provide more information KDC returned error string: HANDLE_AUTHDATA On the lab-KDC: /var/log/krb5kdc.log Feb 20 21:47:42 test-ipa.lab.example.com krb5kdc[1540](info): closing down fd 11 Feb 20 21:47:46 test-ipa.lab.example.com krb5kdc[1540](info): TGS_REQ : handle_authdata (22) Feb 20 21:47:46 test-ipa.lab.example.com krb5kdc[1540](info): TGS_REQ (2 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17)}) fdd0:192:168:250:ad3:e32b:ef6b:486f: HANDLE_AUTHDATA: authtime 1676921750, etypes {rep=UNSUPPORTED:(0)} [email protected] for host/[email protected], Invalid argument Any thoughts or tips would be greatly appreciated. _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
