On Thu, 26 May 2016, John Meyers wrote:
All,

I have two-way trust established between IPA.DOMAIN.COM and
AD.DOMAIN.COM.  The users are sync'ed via a replication agreement and
password sync so u...@ipa.domain.com is the same person as
u...@ad.domain.com.
Trust doesn't use synchronization. Your AD users are not IPA users and
will never be with trust.

With "KrbLocalUserMapping On" in the Apache config, everything works
great for users in the IPA domain.  The realm is properly stripped off
and the end applications work very well with IPA.

However, if a user from the AD domain authenticates, mod_auth_krb does
not strip off the realm and returns "krb5_aname_to_localname() failed:
Supplied data not handled by this plugin", passing the untouched string
to the end application which promptly chokes on it.  I tried adding
AD.DOMAIN.COM to "KrbAuthRealms" in the Apache configuration.  That
didn't do it.  Then I tried adding "auth_to_local =
RULE:[1:$1@$0](^.*@AD\.DOMAIN\.COM)s/@.*//"  to /etc/krb5.conf under the
IPA realm.  That STILL didn't do it and that is about the end of my
knowledge on kerberos realm mapping and stripping.

Any help would be appreciated.
SSSD on RHEL 7.x and Fedora 22+ provides a localauth plugin to Kerberos
that allows to map Kerberos principal to a user known by SSSD.
Effectively, u...@ad.domain.com principal would be mapped to
u...@ad.domain.com by SSSD localauth plugin automatically and
aname_to_localname() should succeed.

mmod_auth_krb5 should work just fine with this setup if you remove
'KrbLocalUserMapping On" and would add all allowed realms to
KrbAuthRealms.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to