[Freeipa-users] FreeIPA ActiveDirectory Integration, Fedora and Windows 2008 R2 AD: "ipa: ERROR: an internal error has occurred"

Sat Sep 13 18:46:33 UTC 2014

On Sat, Sep 13, 2014 at 7:03 PM, Alexander Bokovoy <abokovoy at redhat.com>
wrote:

> On Sat, 13 Sep 2014, Traiano Welcome wrote:
>
>> Hi
>>
>> I've managed to get trusts working with CentOS 7 as an IdM server,
>> Win2K8R2
>> AD DC and CentOS6.5 as a client, using the exact same series of steps as
>> in
>> the documentation. Attached is the process I used.
>>
> You got one step wrong:
> ============================================================
> ================
> 8. Modify /etc/krb5.conf
>
> [realms]
> ENGENEON.LOCAL = {
>  kdc = idm003.engeneon.local:88
>  master_kdc = idm003.engeneon.local:88
>  admin_server = idm003.engeneon.local:749
>  default_domain = engeneon.local
>  pkinit_anchors = FILE:/etc/ipa/ca.crt
>  auth_to_local = RULE:[1:$1@$0](^.*@AD_DOMAIN$)s/@AD_DOMAIN/@ad_domain/
>  auth_to_local = DEFAULT
> }
> ============================================================
> ================
>
> Here you have to substitute AD_DOMAIN and ad_domain by your actual
> AD domain name. This change has to be done currently on every IPA
> machine where you are expecting AD users to log in.
>
>

Doh! ok, fixed. Although, I didn't notice any login failures testing with a
bunch of users. Is it possible this behavior is already being adapted
around in either one of PAM, OpenSSH or KRB5?

> For each domain in the trusted AD forest, AD_DOMAIN should be its realm
> and ad_domain should be the same in low-case as SSSD normalizes user
> names to lower case. The rule tells Kerberos library how to transform a
> Kerberos principal (thus REALM has to be upper case as it is required in
> MIT Kerberos) to a POSIX user name (thus put domain name in lower case
> as SSSD will normalize the user name). OpenSSH and some other software
> actually checks that POSIX user name corresponds to the value Kerberos
> library will return to OpenSSH daemon after running through
> auth_to_local rules.
>
> I.e., in your case it would be
>
>   auth_to_local = RULE:[1:$1@$0](^.*@MHATEST.LOCAL$)s/@MHATEST.LOCAL/@
> mhatest.local/
>
> and if you have multiple subdomains, there should be multiple rules like
> this, each for the domain which users you want to be able to log in.
> We are improving this in MIT Kerberos 1.12 and SSSD 1.12.1 where all
> these rules will be replaced with a plugin that fetches list of domains
> from IPA servers and automatically manage it. However, it is currently
> not available in any released distribution.
>
> --
> / Alexander Bokovoy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140913/baaf8ac0/attachment.htm>