Am 05.12.2014 um 14:04 schrieb Alexander Bokovoy:
>>> Ok, i see one difference: i didnt use the "-requires_preauth" flag. Why
>>> did you use them ?
>> Because this is recommended by MIT documentation. The link between
>> realms has to be protected well, including preauth and good passwords
>> for the cross-realm principals.
>>> Is it possible or a good idea to add my trust domain, which isnt a AD
>>> domain, manualy to IPA 3.3 ?
>> Well, you can hack of course, that's up to you. I haven't checked that
>> myself and cannot give you definitive answer on this path, though.
At this time i havent an idea off the steps in detail how to do that.
>>>> We may reconsider this check and instead of KRB5KRB_AP_ERR_ILL_CR_TKT
>>>> return KRB5_PLUGIN_NO_HANDLE to allow fallback to krb5.conf-defined
>>>> capaths but I remember we had some issues with krb5 versions prior to
>>>> 1.12 where capaths from krb5.conf were blocking work of the DAL
>>>> driver.
>>> I use MIT Kerberos 1.6 from OpenCSW on Solaris and FreeIPA 3.3.5. So
>>> this shouldnt be a problem ?!
Sorry i made a little typing mistake. The foreign realm ist MIT Kerberos
1.9.2 and not 1.6
>> 1.6 does not support cross-realm communication as support for RFC6806
>> was added only in 1.7. So I don't think your setup would have any chance
>> to work at all.
> Hm.. on the other hand, 1.6 documentation talks about it:
> So may be their changelogs aren't as complete as they should be. :)
> With the link above you can also see with disabling preauth on the
> cross-realm krbtgt records is recommended.
> But I think most of your issues were because of the 88 port not being
> available and no other means to traverse firewall were configured. 
I will look particular for that.

There is no firewall between the two KDCs.

> That
> is, aside from the fact that IPA will reject cross-realm tickets because
> of how we programmed DAL driver as I explained above.

I dont know in detail what DAL is doing.

OK, it sounds like with IPA my setup wont be very easy :-)

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Manage your subscription for the Freeipa-users mailing list:
Go To for more info on the project

Reply via email to