On 07.07.20 10:13, Alexander Bokovoy wrote:
> On ti, 07 heinä 2020, Gerald Vogt via FreeIPA-users wrote:
>> Hi!
>>
>> I am trying to get a kerberos realm to trust the ipa realm. I'm running
>> ipa-server-4.6.6-11.el7 on a CentOS 7. It uses realm
IPA.EXAMPLE.COM.
>>
>> I have another KDC on another CentOS 7 which has another realm
>>
KRB.EXAMPLE.COM with a legacy service connected.
>>
>> Now I would like all users of my IPA realm to use that legacy service.
>> Thus I need the KRB realm to trust the IPA realm. I don't need the IPA
>> realm to trust the KRB realm.
>>
>> For the KRB KDC I have no problem adding the necessary
>> krbtgt/KRB.EXAMPLE.COM(a)IPA.EXAMPLE.COM principal with a password.
>>
>> However, everything I find about adding it to the IPA Kerberos involves
>> kadmin.local which seems not to be supported anymore:
>>
>> kadmin.local: Cannot open DB2 database
>> '/var/kerberos/krb5kdc/principal': No such file or directory while
>> initializing kadmin.local interface
>
> The message above says that DB2 database driver is used by kadmin.local
> instead of IPA one. Your /etc/krb5.conf should have:
>
> [dbmodules]
> IPA.TEST = {
> db_library = ipadb.so
> }
Thanks. I have missed that.
>> How do I add this principal correctly to my IPA kerberos? Is it
>> possible?
>
> Kind of. Beware of dragons, of course.
>
> WARNING: this is not supported for mindless enablement. If you'd break
> your system, it is all your fault.
>
> You need to use '-x ipa-setup-override-restrictions' to kadmin.local
> when it uses ipadb module.
>
> Please note that FreeIPA expectation from trusted realms are stricter
> than in a standard MIT KDC case. For example, if your trusted realm
> produces PAC records in the tickets, these tickets will be rejected if
> FreeIPA KDC cannot find corresponding trusted domain definition in IPA
> LDAP. This, for example, is not possible right now for IPA-IPA trust.
>
> A non-AD-compatible Kerberos realm can be made trusted but that's about
> it. If it has user principals that couldn't be mapped to IPA users, the
> only thing that those principals would be able to do is to obtain
> service tickets to IPA services. They would not exist on POSIX level, of
> course, so none of POSIX-specific operations would work, including HBAC
> rules.
O.K. Now you have got me confused. I thought, all I needed was for my
KRB realm to trust the IPA realm and not vice versa. Thus, all I needed
was the principal in the IPA kerberos. I don't want the IPA realm to
trust the KRB realm. Only the IPA users are supposed to access the KRB
realm service using kerberos.
It's my understanding that your remarks in your two last paragraphs
don't apply here. Or am I missing something?
No, you are good -- I tried to structure my answer to also make sure
people don't try it the other way around as a supported solution. ;)
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland