Hi!
I am trying to get a kerberos realm to trust the ipa realm. I'm running ipa-server-4.6.6-11.el7 on a CentOS 7. It uses realm IPA.EXAMPLE.COM.
I have another KDC on another CentOS 7 which has another realm KRB.EXAMPLE.COM with a legacy service connected.
Now I would like all users of my IPA realm to use that legacy service. Thus I need the KRB realm to trust the IPA realm. I don't need the IPA realm to trust the KRB realm.
For the KRB KDC I have no problem adding the necessary krbtgt/KRB.EXAMPLE.COM@IPA.EXAMPLE.COM principal with a password.
However, everything I find about adding it to the IPA Kerberos involves kadmin.local which seems not to be supported anymore:
kadmin.local: Cannot open DB2 database '/var/kerberos/krb5kdc/principal': No such file or directory while initializing kadmin.local interface
How do I add this principal correctly to my IPA kerberos? Is it possible?
Thx.
On ti, 07 heinä 2020, Gerald Vogt via FreeIPA-users wrote:
Hi!
I am trying to get a kerberos realm to trust the ipa realm. I'm running ipa-server-4.6.6-11.el7 on a CentOS 7. It uses realm IPA.EXAMPLE.COM.
I have another KDC on another CentOS 7 which has another realm KRB.EXAMPLE.COM with a legacy service connected.
Now I would like all users of my IPA realm to use that legacy service. Thus I need the KRB realm to trust the IPA realm. I don't need the IPA realm to trust the KRB realm.
For the KRB KDC I have no problem adding the necessary krbtgt/KRB.EXAMPLE.COM@IPA.EXAMPLE.COM principal with a password.
However, everything I find about adding it to the IPA Kerberos involves kadmin.local which seems not to be supported anymore:
kadmin.local: Cannot open DB2 database '/var/kerberos/krb5kdc/principal': No such file or directory while initializing kadmin.local interface
The message above says that DB2 database driver is used by kadmin.local instead of IPA one. Your /etc/krb5.conf should have:
[dbmodules] IPA.TEST = { db_library = ipadb.so }
How do I add this principal correctly to my IPA kerberos? Is it possible?
Kind of. Beware of dragons, of course.
WARNING: this is not supported for mindless enablement. If you'd break your system, it is all your fault.
You need to use '-x ipa-setup-override-restrictions' to kadmin.local when it uses ipadb module.
Please note that FreeIPA expectation from trusted realms are stricter than in a standard MIT KDC case. For example, if your trusted realm produces PAC records in the tickets, these tickets will be rejected if FreeIPA KDC cannot find corresponding trusted domain definition in IPA LDAP. This, for example, is not possible right now for IPA-IPA trust.
A non-AD-compatible Kerberos realm can be made trusted but that's about it. If it has user principals that couldn't be mapped to IPA users, the only thing that those principals would be able to do is to obtain service tickets to IPA services. They would not exist on POSIX level, of course, so none of POSIX-specific operations would work, including HBAC rules.
On 07.07.20 10:13, Alexander Bokovoy wrote:
On ti, 07 heinä 2020, Gerald Vogt via FreeIPA-users wrote:
Hi!
I am trying to get a kerberos realm to trust the ipa realm. I'm running ipa-server-4.6.6-11.el7 on a CentOS 7. It uses realm IPA.EXAMPLE.COM.
I have another KDC on another CentOS 7 which has another realm KRB.EXAMPLE.COM with a legacy service connected.
Now I would like all users of my IPA realm to use that legacy service. Thus I need the KRB realm to trust the IPA realm. I don't need the IPA realm to trust the KRB realm.
For the KRB KDC I have no problem adding the necessary krbtgt/KRB.EXAMPLE.COM@IPA.EXAMPLE.COM principal with a password.
However, everything I find about adding it to the IPA Kerberos involves kadmin.local which seems not to be supported anymore:
kadmin.local: Cannot open DB2 database '/var/kerberos/krb5kdc/principal': No such file or directory while initializing kadmin.local interface
The message above says that DB2 database driver is used by kadmin.local instead of IPA one. Your /etc/krb5.conf should have:
[dbmodules] IPA.TEST = { db_library = ipadb.so }
Thanks. I have missed that.
How do I add this principal correctly to my IPA kerberos? Is it possible?
Kind of. Beware of dragons, of course.
WARNING: this is not supported for mindless enablement. If you'd break your system, it is all your fault.
You need to use '-x ipa-setup-override-restrictions' to kadmin.local when it uses ipadb module.
Please note that FreeIPA expectation from trusted realms are stricter than in a standard MIT KDC case. For example, if your trusted realm produces PAC records in the tickets, these tickets will be rejected if FreeIPA KDC cannot find corresponding trusted domain definition in IPA LDAP. This, for example, is not possible right now for IPA-IPA trust.
A non-AD-compatible Kerberos realm can be made trusted but that's about it. If it has user principals that couldn't be mapped to IPA users, the only thing that those principals would be able to do is to obtain service tickets to IPA services. They would not exist on POSIX level, of course, so none of POSIX-specific operations would work, including HBAC rules.
O.K. Now you have got me confused. I thought, all I needed was for my KRB realm to trust the IPA realm and not vice versa. Thus, all I needed was the principal in the IPA kerberos. I don't want the IPA realm to trust the KRB realm. Only the IPA users are supposed to access the KRB realm service using kerberos.
It's my understanding that your remarks in your two last paragraphs don't apply here. Or am I missing something?
Thx,
Gerald
On ti, 07 heinä 2020, Gerald Vogt via FreeIPA-users wrote:
On 07.07.20 10:13, Alexander Bokovoy wrote:
On ti, 07 heinä 2020, Gerald Vogt via FreeIPA-users wrote:
Hi!
I am trying to get a kerberos realm to trust the ipa realm. I'm running ipa-server-4.6.6-11.el7 on a CentOS 7. It uses realm IPA.EXAMPLE.COM.
I have another KDC on another CentOS 7 which has another realm KRB.EXAMPLE.COM with a legacy service connected.
Now I would like all users of my IPA realm to use that legacy service. Thus I need the KRB realm to trust the IPA realm. I don't need the IPA realm to trust the KRB realm.
For the KRB KDC I have no problem adding the necessary krbtgt/KRB.EXAMPLE.COM@IPA.EXAMPLE.COM principal with a password.
However, everything I find about adding it to the IPA Kerberos involves kadmin.local which seems not to be supported anymore:
kadmin.local: Cannot open DB2 database '/var/kerberos/krb5kdc/principal': No such file or directory while initializing kadmin.local interface
The message above says that DB2 database driver is used by kadmin.local instead of IPA one. Your /etc/krb5.conf should have:
[dbmodules] IPA.TEST = { db_library = ipadb.so }
Thanks. I have missed that.
How do I add this principal correctly to my IPA kerberos? Is it possible?
Kind of. Beware of dragons, of course.
WARNING: this is not supported for mindless enablement. If you'd break your system, it is all your fault.
You need to use '-x ipa-setup-override-restrictions' to kadmin.local when it uses ipadb module.
Please note that FreeIPA expectation from trusted realms are stricter than in a standard MIT KDC case. For example, if your trusted realm produces PAC records in the tickets, these tickets will be rejected if FreeIPA KDC cannot find corresponding trusted domain definition in IPA LDAP. This, for example, is not possible right now for IPA-IPA trust.
A non-AD-compatible Kerberos realm can be made trusted but that's about it. If it has user principals that couldn't be mapped to IPA users, the only thing that those principals would be able to do is to obtain service tickets to IPA services. They would not exist on POSIX level, of course, so none of POSIX-specific operations would work, including HBAC rules.
O.K. Now you have got me confused. I thought, all I needed was for my KRB realm to trust the IPA realm and not vice versa. Thus, all I needed was the principal in the IPA kerberos. I don't want the IPA realm to trust the KRB realm. Only the IPA users are supposed to access the KRB realm service using kerberos.
It's my understanding that your remarks in your two last paragraphs don't apply here. Or am I missing something?
No, you are good -- I tried to structure my answer to also make sure people don't try it the other way around as a supported solution. ;)
freeipa-users@lists.fedorahosted.org