Hi list, I have an issue with an AD one-way trust to IPA, where the AD is configured with a very specific set of ACL's on the various OUs where the user accounts live. Authenticated Users cannot search for all users in the AD LDAP directory. This is done as the AD is hosting a multi-tenant environment, and there exists a requirement for different customers accounts not to be visible by everyone.
The issue for IPA is when SSSD is attempting to look up the users details in AD via LDAP, using it's trust account (cn=IPADOM$,cn=Users,dc=ad,dc=local). This trust account does not have the required permissions to search for all the users in the AD LDAP tree, the AD user is not found by SSSD, and is denied logon access. As the IPADOM$ account is a special trust account, it is not possible to add this account to the AD group which is normally used to grant access to service accounts to read the entire AD LDAP directory. I have verified the issue by kinit a TGT using the /var/lib/sss/keytabs/AD-TRUST.keytab, and using ldapsearch -Y GSSAPI to query for the exact ldap query I noticed failing in the sssd log /var/log/sssd/sssd_ipa.dns.domain.log. The result is user is *not* found. If I kinit administrator@AD.DOMAIN and run the exact same LDAP query using ldapsearch -Y GSSAPI, the user *is* found. If (for testing purposes) the "Authenticated Users" group is granted access on the OU's containing the AD users, IPA+trust+SSSD works, is able to find the user, and the AD user is able to log on to Linux. Any attempt to add the IPADOM$ account to the OU's ACL has failed, as the user is an hidden account in AD. So I wonder if it is possible to specify a different AD LDAP account for SSSD to use for it's LDAP trust lookups towards AD? Or perhaps there is a better way to solve this issue? Any pointers and advice is greatly appreciated. Regards, Siggi _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
