Hmm just upgraded to 3 so thought I woudl give it a go ... but (aint there always one of those :() can't seem to add the principle ..

kadmin.local:  add_principal krbtgt/OLD-REALM@IPA-REALM
WARNING: no policy specified for krbtgt/OLD-REALM@IPA-REALM; defaulting to no policy
Enter password for principal "krbtgt/OLD-REALM@IPA-REALM":
Re-enter password for principal "krbtgt/OLD-REALM@IPA-REALM":
add_principal: Invalid argument while creating "krbtgt/OLD-REALM@IPA-REALM".

and nothing was placed in the kadmin log .. :(


rgds

Matt B.

On 11/27/2013 01:57 PM, Rob Crittenden wrote:
Matt Bryant wrote:
All,

Is there any documentation anywhere that describes whether this can be
done and how to do it ?? Would like to set up a one way trust between a
new IPA realm and a legacy kerberos realm. The doco explicitly says dont
use kadmin/kadmin.local so not sure how to get the
krbtgt/OLD_REALM@IPA-REALM principle into IPA that would facilitate such
a trust.

We haven't implemented (or tested) this yet. It is just MIT Kerberos under-the-hood so in theory creating the right principals should do the trick.

If you have IPA 3.0+ then you can use kadmin to create the principals you need. IIRC the RHEL Kerberos documentation is fairly good in this regard.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to