On Sat, Sep 13, 2014 at 7:03 PM, Alexander Bokovoy <aboko...@redhat.com>

> On Sat, 13 Sep 2014, Traiano Welcome wrote:
>> Hi
>> I've managed to get trusts working with CentOS 7 as an IdM server,
>> Win2K8R2
>> AD DC and CentOS6.5 as a client, using the exact same series of steps as
>> in
>> the documentation. Attached is the process I used.
> You got one step wrong:
> ============================================================
> ================
> 8. Modify /etc/krb5.conf
> [realms]
>  kdc = idm003.engeneon.local:88
>  master_kdc = idm003.engeneon.local:88
>  admin_server = idm003.engeneon.local:749
>  default_domain = engeneon.local
>  pkinit_anchors = FILE:/etc/ipa/ca.crt
>  auth_to_local = RULE:[1:$1@$0](^.*@AD_DOMAIN$)s/@AD_DOMAIN/@ad_domain/
>  auth_to_local = DEFAULT
> }
> ============================================================
> ================
> Here you have to substitute AD_DOMAIN and ad_domain by your actual
> AD domain name. This change has to be done currently on every IPA
> machine where you are expecting AD users to log in.

Doh! ok, fixed. Although, I didn't notice any login failures testing with a
bunch of users. Is it possible this behavior is already being adapted
around in either one of PAM, OpenSSH or KRB5?

> For each domain in the trusted AD forest, AD_DOMAIN should be its realm
> and ad_domain should be the same in low-case as SSSD normalizes user
> names to lower case. The rule tells Kerberos library how to transform a
> Kerberos principal (thus REALM has to be upper case as it is required in
> MIT Kerberos) to a POSIX user name (thus put domain name in lower case
> as SSSD will normalize the user name). OpenSSH and some other software
> actually checks that POSIX user name corresponds to the value Kerberos
> library will return to OpenSSH daemon after running through
> auth_to_local rules.
> I.e., in your case it would be
>   auth_to_local = RULE:[1:$1@$0](^.*@MHATEST.LOCAL$)s/@MHATEST.LOCAL/@
> mhatest.local/
> and if you have multiple subdomains, there should be multiple rules like
> this, each for the domain which users you want to be able to log in.
> We are improving this in MIT Kerberos 1.12 and SSSD 1.12.1 where all
> these rules will be replaced with a plugin that fetches list of domains
> from IPA servers and automatically manage it. However, it is currently
> not available in any released distribution.
> --
> / Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to