Hi, Is there any documentation for adding cross realm authentication with FreeIPA?
I have two FreeIPA realms: A.EXAMPLE.COM C.B.EXAMPLE.COM Following the Fedora krb5-server documentation: http://docs.fedoraproject.org/security-guide/f11/en-US/sect-Security_Guide-Kerberos-Setting_Up_Cross_Realm_Authentication.html I have added these principals to both FreeIPA servers: krbtgt/c.b.example....@a.example.com (I see the warning in the FreeIPA documentation about avoiding the use of kadmin and kadmin.local - I can remove these principals if necessary). There are master and replicated FreeIPA servers in both realms and they have the required ports open at the firewalls (both directions) http://freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/sect-Installation_and_Deployment_Guide-Preparing_for_an_IPA_Installation-Required_Ports.html So clients in A.EXAMPLE.COM should be able to authenticate to C.B.EXAMPLE.COM, but not the other way around (This is how I would like it setup). However, this does not appear to work. I assume that I need to add some entries to the LDAP server as well? Does anyone know if this is true and if so, how I should go about it? Thanks, Dan Scott http://danieljamesscott.org _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users