Univention Bugzilla – Bug 46380
univention-domain-join should adjust settings to enable saml-kerberos
Last modified: 2019-01-09 18:51:01 CET
Single Sign-on via kerberos is a new feature in UCS 4.3 (Bug #33214). It would be great if the domain-join assistant would configure the system to enable the feature while joining the UCS domain. - Add 'rdns = false' to the libdefaults section in /etc/krb5.conf - Install the UCS root ca systemwide (Bug #46379) - (Optional) configure known browsers to enable negotiate against ucs domain
Since Bug #46379 is fixed, the UCS root ca is now available system-wide. All of the supported Ubuntu versions (Ubuntu 14.04, 16.04 and 17.10) use the Heimdal implementation of Kerberos, which doesn't need the 'rdns = false' setting in /etc/krb5.conf, so I didn't add this to the configuration. Since configuring browsers to enable negotiate against UCS domain is non tivial and also documented I left this feature out. Under these circumstances no changes needed to be made to the code.
*** This bug has been marked as a duplicate of bug 48379 ***