On 5.12.2014 15:21, Andreas Ladanyi wrote: > Am 05.12.2014 um 14:04 schrieb Alexander Bokovoy: >> >>>>> >>>> Ok, i see one difference: i didnt use the "-requires_preauth" flag. Why >>>> did you use them ? >>> Because this is recommended by MIT documentation. The link between >>> realms has to be protected well, including preauth and good passwords >>> for the cross-realm principals. >>> >>> >>>> Is it possible or a good idea to add my trust domain, which isnt a AD >>>> domain, manualy to IPA 3.3 ? >>> Well, you can hack of course, that's up to you. I haven't checked that >>> myself and cannot give you definitive answer on this path, though. > At this time i havent an idea off the steps in detail how to do that. >>> >>>>> >>>>> >>>>> We may reconsider this check and instead of KRB5KRB_AP_ERR_ILL_CR_TKT >>>>> return KRB5_PLUGIN_NO_HANDLE to allow fallback to krb5.conf-defined >>>>> capaths but I remember we had some issues with krb5 versions prior to >>>>> 1.12 where capaths from krb5.conf were blocking work of the DAL >>>>> driver. >>>> I use MIT Kerberos 1.6 from OpenCSW on Solaris and FreeIPA 3.3.5. So >>>> this shouldnt be a problem ?! > Sorry i made a little typing mistake. The foreign realm ist MIT Kerberos > 1.9.2 and not 1.6 >>> 1.6 does not support cross-realm communication as support for RFC6806 >>> was added only in 1.7. So I don't think your setup would have any chance >>> to work at all. >> Hm.. on the other hand, 1.6 documentation talks about it: >> http://web.mit.edu/kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Cross_002drealm-Authentication >> >> So may be their changelogs aren't as complete as they should be. :) >> >> With the link above you can also see with disabling preauth on the >> cross-realm krbtgt records is recommended. >> >> But I think most of your issues were because of the 88 port not being >> available and no other means to traverse firewall were configured. > I will look particular for that. > > There is no firewall between the two KDCs. > >> That >> is, aside from the fact that IPA will reject cross-realm tickets because >> of how we programmed DAL driver as I explained above. > > > I dont know in detail what DAL is doing. > > OK, it sounds like with IPA my setup wont be very easy :-)
I guess that Alexander or Simo could point you to the line in the source code you have to change (or send you one-line patch?) but you will have to recompile the driver from source. Do you want to try this way? -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project