From nobody Wed Dec 21 22:37:35 2022 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NcpH34xCKz1HKpp for ; Wed, 21 Dec 2022 22:37:35 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NcpH33MqBz3hKs for ; Wed, 21 Dec 2022 22:37:35 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1671662255; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ut3WVZVX0P3MREOqsB8bJpFyOft/eogdlsS0oCmiIc4=; b=htXAMDPTjWrs3QoyCfCGG6rpFHQephz5cvzV/BeGxm7lKiW+/A8m+6LeoH3fLFtHr2bFDJ fNPo+WKsfJevvg5f6V5IA6mn51EGhvZDv39J5cnDIxzvH0tbKihfK2XiSR64MFqbGFg6jc 005SdruryAHa3HIntsQqf+nJHBoZEJ4nATnyHrzoywYY1cdMDL9RuTs0OJgkdAZspWHHQM SQiA1drAdN5p+OELLB8SfVfkHToA1Jsz993oK7jeA5T1E9wCsZRbdD+Th2wNvwQLF+ce5J BIlzgNDq9VyYzM5JI/DYcSkMZTQmgtP+9LjkBXKsSKmDEgoitTCMP1um6Ju6ug== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1671662255; a=rsa-sha256; cv=none; b=wUEBxNJt1IrgEQsS9gRQDmz0RkR3+rJ5dFJ5CbFeptjyN9Y2dsDPApdCEV+I8O/lgkAnEp 0RqG1/reu4DQKGtuixBcpI3pn+Ams2+KuShpEz+D2RjuYSi1TcLg4fdvzpG/Qx3imROyYl obkrfDvY+TjqiGSufFSH8W5jzF+pTx6kU/QMnr5nETZE2iLDk3Aiexjn/6AcWzLxHakR2O BqkwPuccxWd6pdNTMk1I7k7M09yB3bA5RogAUKfBr8SzTE5AvntH0Ss3wtzMhUEC/t2hns Qmbi+pxtAdfid6PX18NyL8hvpHWNruZrbh+Jwlaln1zfVcm86Tu5jgIaIu4c+A== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4NcpH32QJQzXQp for ; Wed, 21 Dec 2022 22:37:35 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 2BLMbZ7w072628 for ; Wed, 21 Dec 2022 22:37:35 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 2BLMbZiW072627 for bugs@FreeBSD.org; Wed, 21 Dec 2022 22:37:35 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 268186] Kerberos authentication fails with a Linux/FreeIPA KDC Date: Wed, 21 Dec 2022 22:37:35 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: Unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: cy@FreeBSD.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D268186 --- Comment #46 from Cy Schubert --- Looking further at FreeIPA, there is no way to use MIT KRB5 kadmin command = to manage or even look at the database because there is no kadmin ACL file. FreeIPA must be managed through ipa-* commands. I think someone will need to port FreeIPA to FreeBSD ports because there is no way to run ipa-join on FreeBSD. In MIT KRB5 and Heimdal KRB5 one needs to add a host principal using the ka= dmin command, store the key into a keytab and copy that keytab to /etc. This mus= t be done before anyone can log into the server. In Active Directory one must use winbind (or sssd) and join the server to Active Directory using net ads join. This must be done before anyone can log into the server. In FreeIPA one must run ipa-join to add the server principal to the realm. = This is similar in concept to joining a server object to an Active Directory dom= ain. I don't know how you can do this without porting FreeIPA's client software = to FreeBSD. I think the ask here is to find someone willing to port FreeIPA to FreeBSD or create a port yourself and submit it for inclusion into the ports collection. --=20 You are receiving this mail because: You are the assignee for the bug.=