I know this is not officially supported. But I would still like to make it work.
We have a main IPA-Realm
EXAMPLE.COM, and we have subdomain
LAB.EXAMPLE.COM as another
IPA-Eealm. We wan't a one-way trust-relationship from the LAB-realm to our main realm.
I have testet this with two MIT-kerberos barebone KDCs, and I have been able to establish
both one and two way trust between
LAB.EXAMPLE.COM and a barebone MIT-realm. But for some
reason I am not able to this between our main realm, and the lab realm.
The krbtgt/-principial that establishes the trust is created in both realms with the
following command:
kadmin.local -e 'aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96' -q 'addprinc
-requires_preauth krbtgt/LAB.EXAMPLE.COM(a)EXAMPLE.COM' -x
ipa-setup-override-restrictions
When I try to log into a service in the lab realm with a valid ticket in the trusted
domain via SSH (which work nicely with IPA and the barebone MIT setup), i just keep
getting a "HANDLE_AUTHDATA"-error, which I just find briefly mentioned in a few
posts online:
debug1: Unspecified GSS failure. Minor code may provide more information
KDC returned error string: HANDLE_AUTHDATA
On the lab-KDC: /var/log/krb5kdc.log
Feb 20 21:47:42
test-ipa.lab.example.com krb5kdc[1540](info): closing down fd 11
Feb 20 21:47:46
test-ipa.lab.example.com krb5kdc[1540](info): TGS_REQ : handle_authdata
(22)
Feb 20 21:47:46
test-ipa.lab.example.com krb5kdc[1540](info): TGS_REQ (2 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17)})
fdd0:192:168:250:ad3:e32b:ef6b:486f: HANDLE_AUTHDATA: authtime 1676921750, etypes
{rep=UNSUPPORTED:(0)} username(a)EXAMPLE.COM for
host/test-ipa.lab.example.com(a)LAB.EXAMPLE.COM, Invalid argument
Any thoughts or tips would be greatly appreciated.