Am 05.12.2014 um 14:04 schrieb Alexander Bokovoy: > >>>> >>> Ok, i see one difference: i didnt use the "-requires_preauth" flag. Why >>> did you use them ? >> Because this is recommended by MIT documentation. The link between >> realms has to be protected well, including preauth and good passwords >> for the cross-realm principals. >> >> >>> Is it possible or a good idea to add my trust domain, which isnt a AD >>> domain, manualy to IPA 3.3 ? >> Well, you can hack of course, that's up to you. I haven't checked that >> myself and cannot give you definitive answer on this path, though. At this time i havent an idea off the steps in detail how to do that. >> >>>> >>>> >>>> We may reconsider this check and instead of KRB5KRB_AP_ERR_ILL_CR_TKT >>>> return KRB5_PLUGIN_NO_HANDLE to allow fallback to krb5.conf-defined >>>> capaths but I remember we had some issues with krb5 versions prior to >>>> 1.12 where capaths from krb5.conf were blocking work of the DAL >>>> driver. >>> I use MIT Kerberos 1.6 from OpenCSW on Solaris and FreeIPA 3.3.5. So >>> this shouldnt be a problem ?! Sorry i made a little typing mistake. The foreign realm ist MIT Kerberos 1.9.2 and not 1.6 >> 1.6 does not support cross-realm communication as support for RFC6806 >> was added only in 1.7. So I don't think your setup would have any chance >> to work at all. > Hm.. on the other hand, 1.6 documentation talks about it: > http://web.mit.edu/kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Cross_002drealm-Authentication > > So may be their changelogs aren't as complete as they should be. :) > > With the link above you can also see with disabling preauth on the > cross-realm krbtgt records is recommended. > > But I think most of your issues were because of the 88 port not being > available and no other means to traverse firewall were configured. I will look particular for that.
There is no firewall between the two KDCs. > That > is, aside from the fact that IPA will reject cross-realm tickets because > of how we programmed DAL driver as I explained above. I dont know in detail what DAL is doing. OK, it sounds like with IPA my setup wont be very easy :-)
Description: S/MIME Cryptographic Signature
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project