Hi All.
We have an IPA installation in a ‘winsync’ agreement with our AD. We do not (at this stage) want to move this to a full trust, but it would be useful for our users if there were a trust between the two systems at the *Kerberos* level. That way, user desktop TGTs from AD could be used to access Linux servers enrolled in the IPA domain seamlessly, without needing to maintain two separate identities. (We have previously used such a configuration successfully between IPA and a legacy MIT kerberos service).
I followed some (non-IPA related) steps for setting up Kerberos trusts between AD and MIT Kerberos - essentially creating a common TGT principal in both systems with a common password. This works to a point (ie. I can get the TGT for IPA using the AD TGT), but when I try to fetch a service ticket in the IPA domain I get a ‘HANDLE_AUTHDATA’ error.
Here is what I’m seeing:
(AD domain = ‘STAFF.LOCALREALM'; IPA domain = ‘PALLAS.LOCALREALM')
# Get AD TGT: Password for rns@STAFF.LOCALREALM: XXXXXXXXX
$ klist Ticket cache: KEYRING:persistent:10846:10846 Default principal: rns@STAFF.LOCALREALM
Valid starting Expires Service principal 11/06/20 13:34:19 11/06/20 23:34:19 krbtgt/STAFF.LOCALREALM@STAFF.LOCALREALM renew until 12/06/20 13:34:18
# Use AD TGT to get an IPA TGT: $ kvno krbtgt/PALLAS.LOCALREALM@STAFF.LOCALREALM krbtgt/PALLAS.LOCALREALM@STAFF.LOCALREALM: kvno = 0
$ klist Ticket cache: KEYRING:persistent:10846:10846 Default principal: rns@STAFF.LOCALREALM
Valid starting Expires Service principal 11/06/20 13:34:24 11/06/20 23:34:19 krbtgt/PALLAS.LOCALREALM@STAFF.LOCALREALM renew until 12/06/20 13:34:18 11/06/20 13:34:19 11/06/20 23:34:19 krbtgt/STAFF.LOCALREALM@STAFF.LOCALREALM renew until 12/06/20 13:34:18
# Try to fetch an IPA service ticket: $ kvno host/palladium1.localdomain@PALLAS.LOCALREALM kvno: KDC returned error string: HANDLE_AUTHDATA while getting credentials for host/palladium1.localdomain@PALLAS.LOCALREALM
Can anyone provide some idea as to what’s going on here and how I resolve this? I don’t really know what ‘HANDLE_AUTHDATA’ indicates and I’m not able to find a lot of documentation explaining this.
Thanks!
Robert.
freeipa-users@lists.fedorahosted.org