All, I have two-way trust established between IPA.DOMAIN.COM and AD.DOMAIN.COM. The users are sync'ed via a replication agreement and password sync so u...@ipa.domain.com is the same person as u...@ad.domain.com.
With "KrbLocalUserMapping On" in the Apache config, everything works great for users in the IPA domain. The realm is properly stripped off and the end applications work very well with IPA. However, if a user from the AD domain authenticates, mod_auth_krb does not strip off the realm and returns "krb5_aname_to_localname() failed: Supplied data not handled by this plugin", passing the untouched string to the end application which promptly chokes on it. I tried adding AD.DOMAIN.COM to "KrbAuthRealms" in the Apache configuration. That didn't do it. Then I tried adding "auth_to_local = RULE:[1:$1@$0](^.*@AD\.DOMAIN\.COM)s/@.*//" to /etc/krb5.conf under the IPA realm. That STILL didn't do it and that is about the end of my knowledge on kerberos realm mapping and stripping. Any help would be appreciated. John -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project