Hi list,

I have an issue with an AD one-way trust to IPA, where the AD is
configured with a very specific set of ACL's on the various OUs where
the user accounts live. Authenticated Users cannot search for all users
in the AD LDAP directory. This is done as the AD is hosting a
multi-tenant environment, and there exists a requirement for different
customers accounts not to be visible by everyone.

The issue for IPA is when SSSD is attempting to look up the users
details in AD via LDAP, using it's trust account
(cn=IPADOM$,cn=Users,dc=ad,dc=local). This trust account does not have
the required permissions to search for all the users in the AD LDAP
tree, the AD user is not found by SSSD, and is denied logon access.

As the IPADOM$ account is a special trust account, it is not possible to
add this account to the AD group which is normally used to grant access
to service accounts to read the entire AD LDAP directory.

I have verified the issue by kinit a TGT using the
/var/lib/sss/keytabs/AD-TRUST.keytab, and using ldapsearch -Y GSSAPI to
query for the exact ldap query I noticed failing in the sssd log
/var/log/sssd/sssd_ipa.dns.domain.log. The result is user is *not* found.

If I kinit administrator@AD.DOMAIN and run the exact same LDAP query
using ldapsearch -Y GSSAPI, the user *is* found.

If (for testing purposes) the "Authenticated Users" group is granted
access on the OU's containing the AD users, IPA+trust+SSSD works, is
able to find the user, and the AD user is able to log on to Linux.

Any attempt to add the IPADOM$ account to the OU's ACL has failed, as
the user is an hidden account in AD.

So I wonder if it is possible to specify a different AD LDAP account for
SSSD to use for it's LDAP trust lookups towards AD? Or perhaps there is
a better way to solve this issue?

Any pointers and advice is greatly appreciated.

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to