On Sat, 13 Sep 2014, Traiano Welcome wrote:
On Sat, Sep 13, 2014 at 7:03 PM, Alexander Bokovoy <aboko...@redhat.com>
wrote:
On Sat, 13 Sep 2014, Traiano Welcome wrote:
Hi
I've managed to get trusts working with CentOS 7 as an IdM server,
Win2K8R2
AD DC and CentOS6.5 as a client, using the exact same series of steps as
in
the documentation. Attached is the process I used.
You got one step wrong:
============================================================
================
8. Modify /etc/krb5.conf
[realms]
ENGENEON.LOCAL = {
kdc = idm003.engeneon.local:88
master_kdc = idm003.engeneon.local:88
admin_server = idm003.engeneon.local:749
default_domain = engeneon.local
pkinit_anchors = FILE:/etc/ipa/ca.crt
auth_to_local = RULE:[1:$1@$0](^.*@AD_DOMAIN$)s/@AD_DOMAIN/@ad_domain/
auth_to_local = DEFAULT
}
============================================================
================
Here you have to substitute AD_DOMAIN and ad_domain by your actual
AD domain name. This change has to be done currently on every IPA
machine where you are expecting AD users to log in.
Doh! ok, fixed. Although, I didn't notice any login failures testing with a
bunch of users. Is it possible this behavior is already being adapted
around in either one of PAM, OpenSSH or KRB5?
This affects single sign-on logins, i.e. when you try to logon with
Kerberos ticket.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
