subject:"Re\: \[Freeipa\-users\] freeipa\-freeipa trust relationship"

Re: [Freeipa-users] freeipa-freeipa trust relationship

2014-12-01 Thread Alexander Bokovoy

On Mon, 01 Dec 2014, Nicolas Zin wrote:

- Mail original -
De: "Alexander Bokovoy" 
À: "Nicolas Zin" 
Cc: freeipa-users@redhat.com
Envoyé: Lundi 1 Décembre 2014 19:28:20
Objet: Re: [Freeipa-users] freeipa-freeipa trust relationship

On Mon, 01 Dec 2014, Nicolas Zin wrote:
>Hi,
>
>I know that it is possible to connect a FreeIPA/idm to an Active
>Directory forest.
>
>But is there a way to have a relationship between 2 freeipa domains,
>and if yes, is there any documentation.
Not implemented yet.

So even "manually" it is not possible? like following
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/Setting_Up_Cross_Realm_Authentication.html
?

That one is only covering a 'generic' Kerberos realm trust, not
specifically applied to FreeIPA.

So far, I tried to:
kadmin.local -x ipa-setup-override-restrictions -r A.EXAMPLE.COM
add_principal krbtgt/b.example@a.example.com

kadmin.local -x ipa-setup-override-restrictions -r B.EXAMPLE.COM
add_principal krbtgt/a.example@b.example.com

edit /etc/krb5.conf to add element in sections [realms], [domain_realm]
and [capaths]

and add a file into /var/lib/sss/pubconf/kdcinfo.B.EXAMPLE.COM (and
/var/lib/sss/pubconf/kdcinfo.A.EXAMPLE.COM). Yes this is ugly.

I manage to kinit us...@b.example.com from A.EXAMPLE.COM and with this
credential to ssh to the other host.

But I don't manage to do it transparently (i.e. ssh B.EXAMPLE.COM -l
us...@a.example.com with the good passord, or better: without password)

I guess this is not implemented in sssd and this is the problem I face?

Yes, SSSD doesn't know that A.EXAMPLE.COM is a 'subdomain of
B.EXAMPLE.COM (this is how we manage all trusts), thus doesn't know how
to resolve users/groups from that realm and how to assign them POSIX
attributes locally.

Our approach is to get FreeIPA/AD trust case finished first and then
reuse as much as possible for FreeIPA/FreeIPA trust case. We anyway
would have to implement most of the same functionality -- ID range
handling, POSIX attributes management, caching of group membership
(MS-PAC or UNIX-PAD extensions in Kerberos tickets), discovery of forest
topology and so on.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa-freeipa trust relationship

2014-12-01 Thread Nicolas Zin

> - Mail original -
> De: "Alexander Bokovoy" 
> À: "Nicolas Zin" 
> Cc: freeipa-users@redhat.com
> Envoyé: Lundi 1 Décembre 2014 19:28:20
> Objet: Re: [Freeipa-users] freeipa-freeipa trust relationship
> 
> On Mon, 01 Dec 2014, Nicolas Zin wrote:
> >Hi,
> >
> >I know that it is possible to connect a FreeIPA/idm to an Active
> >Directory forest.
> >
> >But is there a way to have a relationship between 2 freeipa domains,
> >and if yes, is there any documentation.
> Not implemented yet.

So even "manually" it is not possible? like following 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/Setting_Up_Cross_Realm_Authentication.html
 ?

So far, I tried to:
kadmin.local -x ipa-setup-override-restrictions -r A.EXAMPLE.COM
 add_principal krbtgt/b.example@a.example.com

kadmin.local -x ipa-setup-override-restrictions -r B.EXAMPLE.COM
 add_principal krbtgt/a.example@b.example.com

edit /etc/krb5.conf to add element in sections [realms], [domain_realm] and 
[capaths]

and add a file into /var/lib/sss/pubconf/kdcinfo.B.EXAMPLE.COM (and 
/var/lib/sss/pubconf/kdcinfo.A.EXAMPLE.COM). Yes this is ugly.

I manage to kinit us...@b.example.com from A.EXAMPLE.COM and with this 
credential to ssh to the other host.

But I don't manage to do it transparently (i.e. ssh B.EXAMPLE.COM -l 
us...@a.example.com with the good passord, or better: without password)

I guess this is not implemented in sssd and this is the problem I face?

Regards,

Nicolas

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa-freeipa trust relationship

2014-12-01 Thread Alexander Bokovoy


On Mon, 01 Dec 2014, Nicolas Zin wrote:

Hi,

I know that it is possible to connect a FreeIPA/idm to an Active
Directory forest.

But is there a way to have a relationship between 2 freeipa domains,
and if yes, is there any documentation.

Not implemented yet.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa-freeipa trust relationship

Re: [Freeipa-users] freeipa-freeipa trust relationship

Re: [Freeipa-users] freeipa-freeipa trust relationship

3 matches

Site Navigation

Mail list logo

Footer information