On 13/10/2025 15:49, Brian J. Murrell via FreeIPA-users wrote:
What I have left is a low UID (112) system account that I do need to be
in IPA as it needs to have a Kerberos credential. I figured the
simplest thing to do was to give 112 it's own ID range since it's the
only low UID I have a need for.
FYI, you might be able to avoid needing to create an 'asterisk' user in
your directory entirely.
You can map arbitrary Kerberos principal names to local usernames in
krb5.conf:
[realms]
EXAMPLE.COM = {
auth_to_local_names = {
ipa-asterisk = asterisk
asterisk/myhost.example.com = asterisk
}
}
Now the principals for the IPA user 'ipa-asterisk' will be mapped to the
local username 'asterisk'. Same for the IPA service
'asterisk/myhost.example.com'.
(One caveat, if you trust other realms then this will map principals in
those realms as well. The fix is to use auth_to_local instead, which can
accomplish the same job but with more verbose/annoying syntax.)
This was covered in this thread:
https://lists.fedorahosted.org/archives/list/[email protected]/thread/Z5YOARJJUW62XRGRXZ6KSWWDFUKT5GJV/?sort=thread
--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
