Hi All, I’m trying to create a (one-way) Kerberos trust between AD and a FreeIPA installation, such that user TGTs from AD can be used to access resources in the IPA realm.
I followed some (non-IPA related) steps for setting up Kerberos trusts between AD and MIT Kerberos - essentially creating a common TGT principal in both systems with a common password. This works to a point (ie. I can get the TGT for IPA using the AD TGT), but when I try to fetch a service ticket in the IPA domain I get a ‘HANDLE_AUTHDATA’ error. Here is what I’m seeing: (AD domain = ‘STAFF.LOCALREALM'; IPA domain = ‘PALLAS.LOCALREALM') # Get AD TGT: Password for [email protected]: XXXXXXXXX $ klist Ticket cache: KEYRING:persistent:10846:10846 Default principal: [email protected] Valid starting Expires Service principal 11/06/20 13:34:19 11/06/20 23:34:19 krbtgt/[email protected] renew until 12/06/20 13:34:18 # Use AD TGT to get an IPA TGT: $ kvno krbtgt/[email protected] krbtgt/[email protected]: kvno = 0 $ klist Ticket cache: KEYRING:persistent:10846:10846 Default principal: [email protected] Valid starting Expires Service principal 11/06/20 13:34:24 11/06/20 23:34:19 krbtgt/[email protected] renew until 12/06/20 13:34:18 11/06/20 13:34:19 11/06/20 23:34:19 krbtgt/[email protected] renew until 12/06/20 13:34:18 # Try to fetch an IPA service ticket: $ kvno host/[email protected] kvno: KDC returned error string: HANDLE_AUTHDATA while getting credentials for host/[email protected] Can anyone provide some idea as to what’s going on here and how I resolve this? I don’t really know what ‘HANDLE_AUTHDATA’ indicates and I’m not able to find a lot of documentation explaining this. Thanks! Robert. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
