On Sat, 13 Sep 2014, Traiano Welcome wrote:

I've managed to get trusts working with CentOS 7 as an IdM server, Win2K8R2
AD DC and CentOS6.5 as a client, using the exact same series of steps as in
the documentation. Attached is the process I used.
You got one step wrong:
8. Modify /etc/krb5.conf

 kdc = idm003.engeneon.local:88
 master_kdc = idm003.engeneon.local:88
 admin_server = idm003.engeneon.local:749
 default_domain = engeneon.local
 pkinit_anchors = FILE:/etc/ipa/ca.crt
 auth_to_local = RULE:[1:$1@$0](^.*@AD_DOMAIN$)s/@AD_DOMAIN/@ad_domain/
 auth_to_local = DEFAULT

Here you have to substitute AD_DOMAIN and ad_domain by your actual
AD domain name. This change has to be done currently on every IPA
machine where you are expecting AD users to log in.

For each domain in the trusted AD forest, AD_DOMAIN should be its realm
and ad_domain should be the same in low-case as SSSD normalizes user
names to lower case. The rule tells Kerberos library how to transform a
Kerberos principal (thus REALM has to be upper case as it is required in
MIT Kerberos) to a POSIX user name (thus put domain name in lower case
as SSSD will normalize the user name). OpenSSH and some other software
actually checks that POSIX user name corresponds to the value Kerberos
library will return to OpenSSH daemon after running through
auth_to_local rules.

I.e., in your case it would be

  auth_to_local = 

and if you have multiple subdomains, there should be multiple rules like
this, each for the domain which users you want to be able to log in.
We are improving this in MIT Kerberos 1.12 and SSSD 1.12.1 where all
these rules will be replaced with a plugin that fetches list of domains
from IPA servers and automatically manage it. However, it is currently
not available in any released distribution.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to