On 05/28/2013 03:48 PM, Alexander Bokovoy wrote: > On Tue, 28 May 2013, Dmitri Pal wrote: >> On 05/28/2013 07:50 AM, Alexander Bokovoy wrote: >>> Hi, >>> >>> >>> http://www.freeipa.org/page/V3/Serving_legacy_clients_for_trusts >>> >>> = Overview = >>> >>> Since version 3.0 FreeIPA supports cross-realm trusts with Active >>> Directory. In order to allow AD users to utilize services on IPA >>> clients, up to date version of SSSD should be configured at the IPA >>> client. In case it is not possible to install and configure SSSD > >>> 1.09, >>> Active Directory users cannot access services on IPA clients. >>> >>> This feature is designed to bridge the gap and provide minimal >>> compatibility level that allows to log-in to IPA clients for AD users. >>> IPA clients will be able to use any reasonable nss_ldap/pam_ldap/sssd >>> version. >>> = Use Cases = >>> >>> Access to IPA client machine resources for AD users in case IPA client >>> cannot utilize up to date version of SSSD with native support for IPA >>> cross-realm trusts. >>> >>> = Design= >>> Since IPA client is configured with the use of older SSSD or >>> nss_ldap/pam_ldap, all work should be performed at the IPA master. >>> Primary design decision is to provide a separate LDAP tree, similar to >>> compat tree, that has following features: >>> >>> * information about both IPA and AD users can be queried; >>> * it ispossible to enumerate members of IPA and AD groups; >>> * authentication bind to IPA LDAP as AD users should automatically >>> * trigger obtaining ticket from AD DC; in case TGT is obtained, >>> * authentication bind should be treated as successful. >>> >>> From a client perspective, use of the separate LDAP tree is viewed as >>> traditional nss_ldap/pam_ldap configuration. >>> >>> Proposed base for the LDAP tree: >>> '''cn=users,cn=trust-accounts,dc=example,dc=com''' >>> >>> = Implementation = >>> >>> # IPA server sets SSSD configuration to 'ipa_server_mode = true' on >>> install or upgrade >>> # ipa-adtrust-install configures additional directory server plugin to >>> serve trusted domains tree >>> # Directory server plugin uses getpwnam_r(), getgrnam_r() and related >>> calls to obtain information about AD user. For IPA users the >>> information is fetched directly from the LDAP. >>> # IPA KDC database driver adds MS-PAC information into ticket granting >>> ticket for host/fqdn@REALM principal of IPA master. This is required >>> to allow SSSD on IPA master to authenticate against AD using >>> host/fqdn@REALM principal. >>> >>> For SSSD design see >>> https://fedorahosted.org/sssd/wiki/DesignDocs/IPAServerMode >>> >>> = Feature Management = >>> >>> === UI === >>> >>> The feature is transparent and not exposed in UI >>> >>> === CLI === >>> >>> The feature is not directly exposed in CLI. >>> IPA idrange management is expanded to specify idrange type (IPA local, >>> AD trust, AD with winsync, IPA trust, ..) to affect the way how AD >>> users >>> SIDs are mapped to POSIX IDs. >>> >>> = Major configuration options and enablement = >>> >>> sssd.conf will have 'ipa_server_mode = true' set for IPA master. >>> >>> = Replication = >>> >>> No effect on replication. Since directory server plugin is only >>> configured when ipa-adtrust-install is run, IPA masters may opt out >>> from >>> serving AD clients. >>> >>> = Updates and Upgrades = >>> >>> During upgrade of IPA master, sssd.conf should be updated to set >>> 'ipa_server_mode = true'. >>> >>> = Dependencies = >>> >>> Depends on SSSD implementing IPA server mode (sssd 1.10.x) >>> >>> = External Impact = >>> >>> https://fedorahosted.org/sssd/wiki/DesignDocs/IPAServerMode >>> >>> = Backup and Restore = >>> >>> No external configuration files are affected >>> >>> = Test Plan = >>> >>> Testing the feature will require following: >>> >>> # Configure IPA to serve AD trusts >>> # Establish trust with AD domain >>> # Configure a client to use nss_ldap/pam_ldap against AD-compatible >>> tree >>> # Attempt to log-in to the client as AD user >>> >>> = RFE Author = >>> >>> [[User:Ab|ab]] ([[User talk:Ab|talk]]) >>> >> >> >> Can you please explain how the older SSSD or other UNIX versions would >> use Kerberos for authentication? > pam_krb5 should work as it is, as well as older SSSD, since any AD user > attempting to connect using GSSAPI to IPA services will have cross-realm > TGT issued for us by the trusting AD DC prior to that attempt. > > The whole idea was to make sure for old clients these users will look > like normal users, via nss_ldap/SSSD. > > We still will need to configure principal mapping in /etc/krb5.conf like > we do for AD users with trusts. > >> I thought we would have to issue some patch for client to switch the >> clients from using Kerberos for authentication to using LDAP. > No need to. pam_ldap would go through LDAP bind automatically, that's > why the proposal talks about attempting to obtain TGT in place of a user > instead of proxying such LDAP bind back to AD DC. This would require us > enforcing clear password bind over TLS/SSL but it is simpler to achieve. > I am missing something. How a simple kinit would work? Can you please describe the sequence and workflow?
-- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-devel mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-devel