Dan Scott wrote: > Hi, > > Is there any documentation for adding cross realm authentication with FreeIPA? > > I have two FreeIPA realms: > > A.EXAMPLE.COM > C.B.EXAMPLE.COM > > Following the Fedora krb5-server documentation: > > http://docs.fedoraproject.org/security-guide/f11/en-US/sect-Security_Guide-Kerberos-Setting_Up_Cross_Realm_Authentication.html > > I have added these principals to both FreeIPA servers: > > krbtgt/c.b.example....@a.example.com > > (I see the warning in the FreeIPA documentation about avoiding the use > of kadmin and kadmin.local - I can remove these principals if > necessary). > > There are master and replicated FreeIPA servers in both realms and > they have the required ports open at the firewalls (both directions) > > http://freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/sect-Installation_and_Deployment_Guide-Preparing_for_an_IPA_Installation-Required_Ports.html > > So clients in A.EXAMPLE.COM should be able to authenticate to > C.B.EXAMPLE.COM, but not the other way around (This is how I would > like it setup). > > However, this does not appear to work. I assume that I need to add > some entries to the LDAP server as well? Does anyone know if this is > true and if so, how I should go about it? > > The cross realm configuration has not been tried in IPA v1.x. We also do not plan to try it for IPA v2 we are wrapping up soon. Cross realm will be our primary focus for IPA v3. We will be working on it next year.
However, may be a cross realm configuration is possible and other team members have ideas of how to make it work. > Thanks, > > Dan Scott > http://danieljamesscott.org > > _______________________________________________ > Freeipa-users mailing list > Freeipafirstname.lastname@example.org > https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users