On 4.12.2014 17:27, Alexander Bokovoy wrote: > On Thu, 04 Dec 2014, Petr Spacek wrote: >> On 4.12.2014 16:58, Simo Sorce wrote: >>> On Thu, 4 Dec 2014 13:22:01 +0200 >>> Alexander Bokovoy <aboko...@redhat.com> wrote: >>> >>>> On Thu, 04 Dec 2014, Petr Spacek wrote: >>>>>> And /var/log/krb5kdc.log on master.f21.test (KDC for F21.TEST) I >>>>>> can see: >>>>>> Dec 04 12:41:52 master.f21.test krb5kdc[1131](info): bad realm >>>>>> transit path from 'ad...@ipa5.test' to >>>>>> 'host/master.f21.t...@f21.test' via '' Dec 04 12:41:52 >>>>>> master.f21.test krb5kdc[1131](info): TGS_REQ (6 etypes {18 17 16 >>>>>> 23 25 26}) 192.168.5.109: BAD_TRANSIT: authtime 1417689777, >>>>>> ad...@ipa5.test for host/master.f21.t...@f21.test, KDC policy >>>>>> rejects request Dec 04 12:41:52 master.f21.test >>>>>> krb5kdc[1131](info): bad realm transit path from 'ad...@ipa5.test' >>>>>> to 'host/master.f21.t...@f21.test' via '' Dec 04 12:41:52 >>>>>> master.f21.test krb5kdc[1131](info): TGS_REQ (6 etypes {18 17 16 >>>>>> 23 25 26}) 192.168.5.109: BAD_TRANSIT: authtime 1417689777, >>>>>> ad...@ipa5.test for host/master.f21.t...@f21.test, KDC policy >>>>>> rejects request >>>>>> >>>>>> And this is correct for FreeIPA 3.3 or later because we limit >>>>>> trust to those domains we defined in cn=ad,cn=trusts,$SUFFIX with >>>>>> filter (objectclass=ipaNTTrustedDomain). For the rest we return >>>>>> KRB5KRB_AP_ERR_ILL_CR_TKT error code which is visible as 'KDC >>>>>> policy rejects request'. >>>>>> >>>>>> >>>>>> We may reconsider this check and instead of >>>>>> KRB5KRB_AP_ERR_ILL_CR_TKT return KRB5_PLUGIN_NO_HANDLE to allow >>>>>> fallback to krb5.conf-defined capaths but I remember we had some >>>>>> issues with krb5 versions prior to 1.12 where capaths from >>>>>> krb5.conf were blocking work of the DAL driver. >>>>> >>>>> Alexander, could you open a ticket to prevent us from forgetting >>>>> about it? >>>> I'm not sure yet this is valid. For FreeIPA-FreeIPA trust we'll have a >>>> separate solution and it will be along the lines of existing 'ipa >>>> trust-add' workflow where existing DAL driver code will work as it is. >>> >>> I think we should have a way to relax this requirement, so that people >>> like Andreas can play with kerberos level trusts. >> >> I agree. > Ok, then please file a ticket for this. > The change in the DAL driver will be a single line.
It would be better if you described the details in the ticket, but here it is: https://fedorahosted.org/freeipa/ticket/4791 Please add missing information. Have a nice weekend! -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project