On 07.07.20 10:13, Alexander Bokovoy wrote:
On ti, 07 heinä 2020, Gerald Vogt via FreeIPA-users wrote:
> Hi!
>
> I am trying to get a kerberos realm to trust the ipa realm. I'm running
> ipa-server-4.6.6-11.el7 on a CentOS 7. It uses realm
IPA.EXAMPLE.COM.
>
> I have another KDC on another CentOS 7 which has another realm
>
KRB.EXAMPLE.COM with a legacy service connected.
>
> Now I would like all users of my IPA realm to use that legacy service.
> Thus I need the KRB realm to trust the IPA realm. I don't need the IPA
> realm to trust the KRB realm.
>
> For the KRB KDC I have no problem adding the necessary
> krbtgt/KRB.EXAMPLE.COM(a)IPA.EXAMPLE.COM principal with a password.
>
> However, everything I find about adding it to the IPA Kerberos involves
> kadmin.local which seems not to be supported anymore:
>
> kadmin.local: Cannot open DB2 database
> '/var/kerberos/krb5kdc/principal': No such file or directory while
> initializing kadmin.local interface
The message above says that DB2 database driver is used by kadmin.local
instead of IPA one. Your /etc/krb5.conf should have:
[dbmodules]
IPA.TEST = {
db_library = ipadb.so
}
Thanks. I have missed that.
> How do I add this principal correctly to my IPA kerberos? Is it
> possible?
Kind of. Beware of dragons, of course.
WARNING: this is not supported for mindless enablement. If you'd break
your system, it is all your fault.
You need to use '-x ipa-setup-override-restrictions' to kadmin.local
when it uses ipadb module.
Please note that FreeIPA expectation from trusted realms are stricter
than in a standard MIT KDC case. For example, if your trusted realm
produces PAC records in the tickets, these tickets will be rejected if
FreeIPA KDC cannot find corresponding trusted domain definition in IPA
LDAP. This, for example, is not possible right now for IPA-IPA trust.
A non-AD-compatible Kerberos realm can be made trusted but that's about
it. If it has user principals that couldn't be mapped to IPA users, the
only thing that those principals would be able to do is to obtain
service tickets to IPA services. They would not exist on POSIX level, of
course, so none of POSIX-specific operations would work, including HBAC
rules.
O.K. Now you have got me confused. I thought, all I needed was for my KRB realm to trust
the IPA realm and not vice versa. Thus, all I needed was the principal in the IPA
kerberos. I don't want the IPA realm to trust the KRB realm. Only the IPA users are
supposed to access the KRB realm service using kerberos.
It's my understanding that your remarks in your two last paragraphs don't apply
here. Or am I missing something?
Thx,
Gerald