> ----- Mail original ----- > De: "Alexander Bokovoy" <aboko...@redhat.com> > À: "Nicolas Zin" <nicolas....@savoirfairelinux.com> > Cc: email@example.com > Envoyé: Lundi 1 Décembre 2014 19:28:20 > Objet: Re: [Freeipa-users] freeipa-freeipa trust relationship > > On Mon, 01 Dec 2014, Nicolas Zin wrote: > >Hi, > > > >I know that it is possible to connect a FreeIPA/idm to an Active > >Directory forest. > > > >But is there a way to have a relationship between 2 freeipa domains, > >and if yes, is there any documentation. > Not implemented yet.
So even "manually" it is not possible? like following https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/Setting_Up_Cross_Realm_Authentication.html ? So far, I tried to: kadmin.local -x ipa-setup-override-restrictions -r A.EXAMPLE.COM add_principal krbtgt/b.example....@a.example.com kadmin.local -x ipa-setup-override-restrictions -r B.EXAMPLE.COM add_principal krbtgt/a.example....@b.example.com edit /etc/krb5.conf to add element in sections [realms], [domain_realm] and [capaths] and add a file into /var/lib/sss/pubconf/kdcinfo.B.EXAMPLE.COM (and /var/lib/sss/pubconf/kdcinfo.A.EXAMPLE.COM). Yes this is ugly. I manage to kinit us...@b.example.com from A.EXAMPLE.COM and with this credential to ssh to the other host. But I don't manage to do it transparently (i.e. ssh B.EXAMPLE.COM -l us...@a.example.com with the good passord, or better: without password) I guess this is not implemented in sssd and this is the problem I face? Regards, Nicolas -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project