On Mon, Jun 15, 2020 at 9:49 PM Robert Sturrock <r...@unimelb.edu.au> wrote:
> Hi Dmitri, > > Sorry - I did not give all the background in the interests of brevity. We > do not want to establish a full trust between AD and IPA (at this stage). > This is for a number of reasons, but is primarily a reluctance to bring a > very large and entirely irrelevant set of AD groups across to IPA-enrolled > hosts. > > The IPA installation is running in a ‘winsync’ arrangement with AD, but as > a convenience for the users it would be useful if a TGT from AD were > sufficient to access services in the IPA realm, to save them having to > ‘kinit' to another kerberos realm. > > So I’m interested in establishing a trust at the Kerberos level only. We > have done this successfully between a legacy MIT kerberos service and IPA, > so I hoped we could also set one up between AD and IPA, before running into > the error I described. > > Any clues as to what the reason for the ‘HANDLE_AUTHDATA’ error might be? > Thanks for the explanation. I suspect that IdM does not know anything about the principal you are using and thus fails to fetch/process authorization data that it needs to put into the ticket. But this is my pure speculation based on a general understanding of the IPA architecture. You might get better help on the freeipa-users list but frankly I am not sure anyone tried or would recommend such a setup there. You are crossing uncharted territory for sure. Thanks Dmitri > > Regards, > > Robert. > > > > On 15 Jun 2020, at 11:00 pm, Dmitri Pal <d...@redhat.com> wrote: > > > > > > > > UoM notice: External email. Be cautious of links, attachments, or > impersonation attempts. > > On Mon, Jun 15, 2020 at 2:39 AM Robert Sturrock <r...@unimelb.edu.au> > wrote: > > Hi All, > > > > I’m trying to create a (one-way) Kerberos trust between AD and a FreeIPA > installation, such that user TGTs from AD can be used to access resources > in the IPA realm. > > > > I followed some (non-IPA related) steps for setting up Kerberos trusts > between AD and MIT Kerberos - essentially creating a common TGT principal > in both systems with a common password. This works to a point (ie. I can > get the TGT for IPA using the AD TGT), but when I try to fetch a service > ticket in the IPA domain I get a ‘HANDLE_AUTHDATA’ error. > > > > Was there any reason not to follow IPA steps for setting trusts? > > They are very straightforward. > > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/installing-trust-between-idm-and-ad_installing-identity-management > > > > > > > > Here is what I’m seeing: > > > > (AD domain = ‘STAFF.LOCALREALM'; IPA domain = ‘PALLAS.LOCALREALM') > > > > # Get AD TGT: > > Password for rns@STAFF.LOCALREALM: XXXXXXXXX > > > > $ klist > > Ticket cache: KEYRING:persistent:10846:10846 > > Default principal: rns@STAFF.LOCALREALM > > > > Valid starting Expires Service principal > > 11/06/20 13:34:19 11/06/20 23:34:19 > krbtgt/STAFF.LOCALREALM@STAFF.LOCALREALM > > renew until 12/06/20 13:34:18 > > > > # Use AD TGT to get an IPA TGT: > > $ kvno krbtgt/PALLAS.LOCALREALM@STAFF.LOCALREALM > > krbtgt/PALLAS.LOCALREALM@STAFF.LOCALREALM: kvno = 0 > > > > $ klist > > Ticket cache: KEYRING:persistent:10846:10846 > > Default principal: rns@STAFF.LOCALREALM > > > > Valid starting Expires Service principal > > 11/06/20 13:34:24 11/06/20 23:34:19 > krbtgt/PALLAS.LOCALREALM@STAFF.LOCALREALM > > renew until 12/06/20 13:34:18 > > 11/06/20 13:34:19 11/06/20 23:34:19 > krbtgt/STAFF.LOCALREALM@STAFF.LOCALREALM > > renew until 12/06/20 13:34:18 > > > > # Try to fetch an IPA service ticket: > > $ kvno host/palladium1.localdomain@PALLAS.LOCALREALM > > kvno: KDC returned error string: HANDLE_AUTHDATA while getting > credentials for host/palladium1.localdomain@PALLAS.LOCALREALM > > > > Can anyone provide some idea as to what’s going on here and how I > resolve this? I don’t really know what ‘HANDLE_AUTHDATA’ indicates and I’m > not able to find a lot of documentation explaining this. > > > > Thanks! > > > > Robert. > > > > ________________________________________________ > > Kerberos mailing list Kerberos@mit.edu > > https://mailman.mit.edu/mailman/listinfo/kerberos > > > > > > -- > > Thank you, > > Dmitri Pal > > Director, Software Engineering > > Red Hat Enterprise Linux Platform Security and Identity Management > > d...@redhat.com > > > > -- Thank you, Dmitri Pal Director, Software Engineering Red Hat Enterprise Linux Platform Security and Identity Management d...@redhat.com <https://red.ht/sig> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
