On Sat, 2015-04-04 at 01:07 -0400, Coy Hile wrote: > Hi all, > > What purpose does this package serve? The way I’ve done Kerberos > between Active Directory and AD, the trust was always one way > (outgoing): the MIT realm is authoritative and AD “shadow accounts” > were mapped to ‘real’ principals via the alternateSecurityID > attribute. Looking at what freeipa-server-trust-ad installs, it > appears the dependencies installed are around letting someone a > bidirectional trust (or at least let the AD users be authoritative). > If one wants to setup his trust in the way I described, all he really > needs to do in MIT land is create > > krbtgt/AD.REALM@MIT.REALM > > in the MIT Realm. > > Is there a ‘supported’ way to do something similar with FreeIPA?
Not yet. https://fedorahosted.org/freeipa/ticket/4917 > Time to break out kadmin.local -x ipa-setup-override-restrictions? You can do that, if you know what you are doing :) > Or would that not drop the principal in the right place in the LDAP > tree? Yeah kadmin will create that entry under the cn=kerberos subtree, but that is ok, the krbtgt principals are not users nor really services, so keeping it in cn=kerberos for now it is fine. However do not use kadmin.local to create actual user principals please. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project