On Tue, 25 Aug 2015, Simo Sorce wrote:
On Tue, 2015-08-25 at 15:19 +0200, Petr Spacek wrote:
On 1.8.2015 21:19, John Stein wrote:
> Hi,
> Thanks for the reply. Any Idea when will the GSSAPI-updating bug fix get to
> RHEL 7?

You can watch the progress here:

Unfortunately fixing this bug will not be sufficient for your particular
scenario. FreeIPA does not allow ordinary host/ principals used by client
machines (not to be confused with FreeIPA servers) to get tickets for AD
Kerberos realms.

It effectively means that nsupdate will properly detect the AD realm and
generate correct request but the request will be refused because the client
will not be able to get ticket.

I.e. you will have to resort to manual PTR record update OR convince
Alexander/Simo that allowing host/ principals from FreeIPA realm to get
tickets for AD realm is not a security issue :-)

There is no security issue per se, host/ principals can get tickets just
fine but we do not attach a PAC here, and AD may refuse to operate w/o a
MS-PAC. Please open a RFE if this is breaking operations. We'll need to
decide how to assign a SID to hosts but that's the only "security" issue
that needs to be solved.
For one-way trust you'll be unable to get the ticket at all as there is
no cross-forest TGT on our side to issue. And this is a default
configuration in FreeIPA 4.2. You will have to have bi-directional trust
to get GSSAPI authentication in nsupdate working at all against a
trusted forest.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to