Discussion:
[Freeipa-users] Trust between IPA and another MIT Kerberos Realm
Matt Bryant
2013-11-27 01:24:36 UTC
Permalink
All,

Is there any documentation anywhere that describes whether this can be
done and how to do it ?? Would like to set up a one way trust between a
new IPA realm and a legacy kerberos realm. The doco explicitly says dont
use kadmin/kadmin.local so not sure how to get the
krbtgt/***@IPA-REALM principle into IPA that would facilitate such
a trust.

rgds

Matt B.
Rob Crittenden
2013-11-27 03:57:06 UTC
Permalink
Post by Matt Bryant
All,
Is there any documentation anywhere that describes whether this can be
done and how to do it ?? Would like to set up a one way trust between a
new IPA realm and a legacy kerberos realm. The doco explicitly says dont
use kadmin/kadmin.local so not sure how to get the
a trust.
We haven't implemented (or tested) this yet. It is just MIT Kerberos
under-the-hood so in theory creating the right principals should do the
trick.

If you have IPA 3.0+ then you can use kadmin to create the principals
you need. IIRC the RHEL Kerberos documentation is fairly good in this
regard.

rob
Matt Bryant
2013-11-27 05:24:49 UTC
Permalink
Hmm just upgraded to 3 so thought I woudl give it a go ... but (aint
there always one of those :() can't seem to add the principle ..

kadmin.local: add_principal krbtgt/OLD-***@IPA-REALM
WARNING: no policy specified for krbtgt/OLD-***@IPA-REALM; defaulting
to no policy
Enter password for principal "krbtgt/OLD-***@IPA-REALM":
Re-enter password for principal "krbtgt/OLD-***@IPA-REALM":
add_principal: Invalid argument while creating "krbtgt/OLD-***@IPA-REALM".

and nothing was placed in the kadmin log .. :(


rgds

Matt B.
Post by Rob Crittenden
Post by Matt Bryant
All,
Is there any documentation anywhere that describes whether this can be
done and how to do it ?? Would like to set up a one way trust between a
new IPA realm and a legacy kerberos realm. The doco explicitly says dont
use kadmin/kadmin.local so not sure how to get the
a trust.
We haven't implemented (or tested) this yet. It is just MIT Kerberos
under-the-hood so in theory creating the right principals should do
the trick.
If you have IPA 3.0+ then you can use kadmin to create the principals
you need. IIRC the RHEL Kerberos documentation is fairly good in this
regard.
rob
Simo Sorce
2013-11-27 13:05:16 UTC
Permalink
Post by Matt Bryant
Hmm just upgraded to 3 so thought I woudl give it a go ... but (aint
there always one of those :() can't seem to add the principle ..
to no policy
and nothing was placed in the kadmin log .. :(
This is almost certainly a bug, can you open a ticket so we can
investigate ?

Simo.
--
Simo Sorce * Red Hat, Inc * New York
Matt Bryant
2013-11-27 22:29:33 UTC
Permalink
Simo,

Have added the following into bugzilla ..

Bug 1035494 <https://bugzilla.redhat.com/show_bug.cgi?id=1035494> has
been added to the database

seems strange but whilst listprincs/getprinc works getpols and the
addprinc (at least in this use case) doesnt...

ie
kadmin.local: add_principal -pw XXXXXXX krbtgt/OLD-***@IPA-REALM
WARNING: no policy specified for krbtgt/OLD-***@IPA-REALM; defaulting
to no policy
add_principal: Invalid argument while creating "krbtgt/OLD-***@IPA-REALM".

kadmin.local: listpols
get_policies: Plugin does not support the operation while retrieving list.

rgds

Matt B.
Post by Simo Sorce
Post by Matt Bryant
Hmm just upgraded to 3 so thought I woudl give it a go ... but (aint
there always one of those :() can't seem to add the principle ..
to no policy
and nothing was placed in the kadmin log .. :(
This is almost certainly a bug, can you open a ticket so we can
investigate ?
Simo.
Simo Sorce
2013-11-27 23:10:20 UTC
Permalink
Post by Matt Bryant
Simo,
Have added the following into bugzilla ..
Bug 1035494 has been added to the database
seems strange but whilst listprincs/getprinc works getpols and the
addprinc (at least in this use case) doesnt...
addprinc not working for normal user principals is expected, we block it
to prevent the creation of incomplete user accounts.

I think getpols is also expected to fail as we use IPA specific
policies.

However it should allow you to create krbtgt/OLD-***@IPA-REALM to set
up trusts until we provide an explicit command for it. This is why I
wanted you to open a bug on that.
Post by Matt Bryant
ie
defaulting to no policy
add_principal: Invalid argument while creating
Now that I think of it, there is an undocumented switch that will allow
you to create an arbitrary principal. This switch should NEVER be used
to create user principals or normal host principals, however it should
allow you to workaround the issue until we can fix the kadmin interface.

Use kadmin.local -x ipa-setup-override-restrictions

But please use it exclusively to create the krbtgt/***@REALM2
principals and nothing else.

Simo.
--
Simo Sorce * Red Hat, Inc * New York
Matt Bryant
2013-11-27 23:48:19 UTC
Permalink
Simo,

Thanks for that .. using that switch the principle is now created on to
see it it works as expected ..

rgds

Matt B.
Post by Simo Sorce
Post by Matt Bryant
Simo,
Have added the following into bugzilla ..
Bug 1035494 has been added to the database
seems strange but whilst listprincs/getprinc works getpols and the
addprinc (at least in this use case) doesnt...
addprinc not working for normal user principals is expected, we block it
to prevent the creation of incomplete user accounts.
I think getpols is also expected to fail as we use IPA specific
policies.
up trusts until we provide an explicit command for it. This is why I
wanted you to open a bug on that.
Post by Matt Bryant
ie
defaulting to no policy
add_principal: Invalid argument while creating
Now that I think of it, there is an undocumented switch that will allow
you to create an arbitrary principal. This switch should NEVER be used
to create user principals or normal host principals, however it should
allow you to workaround the issue until we can fix the kadmin interface.
Use kadmin.local -x ipa-setup-override-restrictions
principals and nothing else.
Simo.
Loading...