On Wed, Jul 03, 2013 at 02:53:55PM +0200, Sumit Bose wrote:
> On Wed, Jul 03, 2013 at 01:00:43PM +0300, Alexander Bokovoy wrote:
> > On Mon, 01 Jul 2013, Sumit Bose wrote:
> > >Hi,
> > >
> > >this patch fixes https://fedorahosted.org/freeipa/ticket/3651 but only
> > >to allow SSSD running on a FreeIPA server to access the AD LDAP server.
> > >In the ticket a more generic solution is described but since there is no
> > >other use case so far I think this patch is sufficient for the time
> > >being.
> > >
> > >bye,
> > >Sumit
> > >From a707d8f9d771dfe4fb8487e051519dba0ef72449 Mon Sep 17 00:00:00 2001
> > >From: Sumit Bose <sb...@redhat.com>
> > >Date: Mon, 1 Jul 2013 13:47:22 +0200
> > >Subject: [PATCH] Add PAC to master host TGTs
> > >
> > >For a proper SALS bind with GSSAPI against an AD LDAP server a PAC is
> > >needed. To allow SSSD in ipa_server_mode to access the LDAP or GC server
> > >of a trusted domain with the credentials of a FreeIPA server host a
> > >PAC must be added to the TGT for the host.
> > s/SALS/SASL/
> Thank you for the review, I've fixed the typo and added the numerical
> values for the well-known RIDs to the commit message.
> > >To determine if a host is a FreeIPA server or not it is checked if there
> > >is an entry for the host in cn=master,cn=ipa,cn=etc,$base. Unfortunately
> > >this requires an additional LDAP lookup. But since TGS-REQs for hosts
> > >should be rare I think it is acceptable for the time being.
> > I think it is better to change this lookup to
> > "cn=ADTRUST,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX", it would
> > explicitly limit us to the IPA masters running AD trusts.
> I'm not sure if this restriction is needed. With SSSD's ipa_server_mode
> any IPA master (which networkwise can access an AD server of the trusted
> domain) can read AD user and group data, no running smbd or winbind is
> required. So it would be possible to run the extdom plugin or the compat
> plugin for the legacy clients on any IPA server which would allow a much
> better load balancing.
> If there are other concerns I'm happy to add the restriction.
I don't think I know the code good enough to provide a full review, but
the patch enables the lookups from an IPA master without any additional
hacks. So ack on functionality at least.
Freeipa-devel mailing list