On Mon, Jun 15, 2020 at 2:39 AM Robert Sturrock <r...@unimelb.edu.au> wrote:
> Hi All, > > I’m trying to create a (one-way) Kerberos trust between AD and a FreeIPA > installation, such that user TGTs from AD can be used to access resources > in the IPA realm. > > I followed some (non-IPA related) steps for setting up Kerberos trusts > between AD and MIT Kerberos - essentially creating a common TGT principal > in both systems with a common password. This works to a point (ie. I can > get the TGT for IPA using the AD TGT), but when I try to fetch a service > ticket in the IPA domain I get a ‘HANDLE_AUTHDATA’ error. > Was there any reason not to follow IPA steps for setting trusts? They are very straightforward. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/installing-trust-between-idm-and-ad_installing-identity-management > > Here is what I’m seeing: > > (AD domain = ‘STAFF.LOCALREALM'; IPA domain = ‘PALLAS.LOCALREALM') > > # Get AD TGT: > Password for rns@STAFF.LOCALREALM: XXXXXXXXX > > $ klist > Ticket cache: KEYRING:persistent:10846:10846 > Default principal: rns@STAFF.LOCALREALM > > Valid starting Expires Service principal > 11/06/20 13:34:19 11/06/20 23:34:19 > krbtgt/STAFF.LOCALREALM@STAFF.LOCALREALM > renew until 12/06/20 13:34:18 > > # Use AD TGT to get an IPA TGT: > $ kvno krbtgt/PALLAS.LOCALREALM@STAFF.LOCALREALM > krbtgt/PALLAS.LOCALREALM@STAFF.LOCALREALM: kvno = 0 > > $ klist > Ticket cache: KEYRING:persistent:10846:10846 > Default principal: rns@STAFF.LOCALREALM > > Valid starting Expires Service principal > 11/06/20 13:34:24 11/06/20 23:34:19 > krbtgt/PALLAS.LOCALREALM@STAFF.LOCALREALM > renew until 12/06/20 13:34:18 > 11/06/20 13:34:19 11/06/20 23:34:19 > krbtgt/STAFF.LOCALREALM@STAFF.LOCALREALM > renew until 12/06/20 13:34:18 > > # Try to fetch an IPA service ticket: > $ kvno host/palladium1.localdomain@PALLAS.LOCALREALM > kvno: KDC returned error string: HANDLE_AUTHDATA while getting > credentials for host/palladium1.localdomain@PALLAS.LOCALREALM > > Can anyone provide some idea as to what’s going on here and how I resolve > this? I don’t really know what ‘HANDLE_AUTHDATA’ indicates and I’m not > able to find a lot of documentation explaining this. > > Thanks! > > Robert. > > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > -- Thank you, Dmitri Pal Director, Software Engineering Red Hat Enterprise Linux Platform Security and Identity Management d...@redhat.com <https://red.ht/sig> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
