On 13/10/2025 15:49, Brian J. Murrell via FreeIPA-users wrote:
What I have left is a low UID (112) system account that I do need to be in IPA as it needs to have a Kerberos credential. I figured the simplest thing to do was to give 112 it's own ID range since it's the only low UID I have a need for.
FYI, you might be able to avoid needing to create an 'asterisk' user in your directory entirely.
You can map arbitrary Kerberos principal names to local usernames in krb5.conf:
[realms] EXAMPLE.COM = { auth_to_local_names = { ipa-asterisk = asterisk asterisk/myhost.example.com = asterisk } }
Now the principals for the IPA user 'ipa-asterisk' will be mapped to the local username 'asterisk'. Same for the IPA service 'asterisk/myhost.example.com'.
(One caveat, if you trust other realms then this will map principals in those realms as well. The fix is to use auth_to_local instead, which can accomplish the same job but with more verbose/annoying syntax.)
This was covered in this thread: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...