On Thu, 4 Dec 2014 13:22:01 +0200 Alexander Bokovoy <[email protected]> wrote:
> On Thu, 04 Dec 2014, Petr Spacek wrote: > >> And /var/log/krb5kdc.log on master.f21.test (KDC for F21.TEST) I > >> can see: > >> Dec 04 12:41:52 master.f21.test krb5kdc[1131](info): bad realm > >> transit path from '[email protected]' to > >> 'host/[email protected]' via '' Dec 04 12:41:52 > >> master.f21.test krb5kdc[1131](info): TGS_REQ (6 etypes {18 17 16 > >> 23 25 26}) 192.168.5.109: BAD_TRANSIT: authtime 1417689777, > >> [email protected] for host/[email protected], KDC policy > >> rejects request Dec 04 12:41:52 master.f21.test > >> krb5kdc[1131](info): bad realm transit path from '[email protected]' > >> to 'host/[email protected]' via '' Dec 04 12:41:52 > >> master.f21.test krb5kdc[1131](info): TGS_REQ (6 etypes {18 17 16 > >> 23 25 26}) 192.168.5.109: BAD_TRANSIT: authtime 1417689777, > >> [email protected] for host/[email protected], KDC policy > >> rejects request > >> > >> And this is correct for FreeIPA 3.3 or later because we limit > >> trust to those domains we defined in cn=ad,cn=trusts,$SUFFIX with > >> filter (objectclass=ipaNTTrustedDomain). For the rest we return > >> KRB5KRB_AP_ERR_ILL_CR_TKT error code which is visible as 'KDC > >> policy rejects request'. > >> > >> > >> We may reconsider this check and instead of > >> KRB5KRB_AP_ERR_ILL_CR_TKT return KRB5_PLUGIN_NO_HANDLE to allow > >> fallback to krb5.conf-defined capaths but I remember we had some > >> issues with krb5 versions prior to 1.12 where capaths from > >> krb5.conf were blocking work of the DAL driver. > > > >Alexander, could you open a ticket to prevent us from forgetting > >about it? > I'm not sure yet this is valid. For FreeIPA-FreeIPA trust we'll have a > separate solution and it will be along the lines of existing 'ipa > trust-add' workflow where existing DAL driver code will work as it is. I think we should have a way to relax this requirement, so that people like Andreas can play with kerberos level trusts. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
