I have two-way trust established between IPA.DOMAIN.COM and
AD.DOMAIN.COM.  The users are sync'ed via a replication agreement and
password sync so is the same person as

With "KrbLocalUserMapping On" in the Apache config, everything works
great for users in the IPA domain.  The realm is properly stripped off
and the end applications work very well with IPA.

However, if a user from the AD domain authenticates, mod_auth_krb does
not strip off the realm and returns "krb5_aname_to_localname() failed:
Supplied data not handled by this plugin", passing the untouched string
to the end application which promptly chokes on it.  I tried adding
AD.DOMAIN.COM to "KrbAuthRealms" in the Apache configuration.  That
didn't do it.  Then I tried adding "auth_to_local =
RULE:[1:$1@$0](^.*@AD\.DOMAIN\.COM)s/@.*//"  to /etc/krb5.conf under the
IPA realm.  That STILL didn't do it and that is about the end of my
knowledge on kerberos realm mapping and stripping.

Any help would be appreciated.


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to