On Sat, Sep 13, 2014 at 7:03 PM, Alexander Bokovoy <aboko...@redhat.com> wrote:
> On Sat, 13 Sep 2014, Traiano Welcome wrote: > >> Hi >> >> I've managed to get trusts working with CentOS 7 as an IdM server, >> Win2K8R2 >> AD DC and CentOS6.5 as a client, using the exact same series of steps as >> in >> the documentation. Attached is the process I used. >> > You got one step wrong: > ============================================================ > ================ > 8. Modify /etc/krb5.conf > > [realms] > ENGENEON.LOCAL = { > kdc = idm003.engeneon.local:88 > master_kdc = idm003.engeneon.local:88 > admin_server = idm003.engeneon.local:749 > default_domain = engeneon.local > pkinit_anchors = FILE:/etc/ipa/ca.crt > auth_to_local = RULE:[1:$1@$0](^.*@AD_DOMAIN$)s/@AD_DOMAIN/@ad_domain/ > auth_to_local = DEFAULT > } > ============================================================ > ================ > > Here you have to substitute AD_DOMAIN and ad_domain by your actual > AD domain name. This change has to be done currently on every IPA > machine where you are expecting AD users to log in. > > Doh! ok, fixed. Although, I didn't notice any login failures testing with a bunch of users. Is it possible this behavior is already being adapted around in either one of PAM, OpenSSH or KRB5? > For each domain in the trusted AD forest, AD_DOMAIN should be its realm > and ad_domain should be the same in low-case as SSSD normalizes user > names to lower case. The rule tells Kerberos library how to transform a > Kerberos principal (thus REALM has to be upper case as it is required in > MIT Kerberos) to a POSIX user name (thus put domain name in lower case > as SSSD will normalize the user name). OpenSSH and some other software > actually checks that POSIX user name corresponds to the value Kerberos > library will return to OpenSSH daemon after running through > auth_to_local rules. > > I.e., in your case it would be > > auth_to_local = RULE:[1:$1@$0](^.*@MHATEST.LOCAL$)s/@MHATEST.LOCAL/@ > mhatest.local/ > > and if you have multiple subdomains, there should be multiple rules like > this, each for the domain which users you want to be able to log in. > We are improving this in MIT Kerberos 1.12 and SSSD 1.12.1 where all > these rules will be replaced with a plugin that fetches list of domains > from IPA servers and automatically manage it. However, it is currently > not available in any released distribution. > > -- > / Alexander Bokovoy >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project