Hi,

Is there any documentation for adding cross realm authentication with FreeIPA?

I have two FreeIPA realms:

A.EXAMPLE.COM
C.B.EXAMPLE.COM

Following the Fedora krb5-server documentation:

http://docs.fedoraproject.org/security-guide/f11/en-US/sect-Security_Guide-Kerberos-Setting_Up_Cross_Realm_Authentication.html

I have added these principals to both FreeIPA servers:

krbtgt/c.b.example....@a.example.com

(I see the warning in the FreeIPA documentation about avoiding the use
of kadmin and kadmin.local - I can remove these principals if
necessary).

There are master and replicated FreeIPA servers in both realms and
they have the required ports open at the firewalls (both directions)

http://freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/sect-Installation_and_Deployment_Guide-Preparing_for_an_IPA_Installation-Required_Ports.html

So clients in A.EXAMPLE.COM should be able to authenticate to
C.B.EXAMPLE.COM, but not the other way around (This is how I would
like it setup).

However, this does not appear to work. I assume that I need to add
some entries to the LDAP server as well? Does anyone know if this is
true and if so, how I should go about it?

Thanks,

Dan Scott
http://danieljamesscott.org

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to