[Freeipa-users] Re: cross realm trust - without win AD credentials ?

Tue, 06 Mar 2018 03:14:50 -0800 

On ti, 06 maalis 2018, lejeczek via FreeIPA-users wrote:



On 06/03/18 07:28, Florence Blanc-Renaud wrote:

On 05/03/2018 19:01, lejeczek via FreeIPA-users wrote:

hi guys

I wonder if it is(would be) possible to have IPA join AD but
so IPA admin only asks AD admin(s) to do whatever is
required and then s/he does IPA end?
And a reason you would do that is - domains are formally(and
in other ways) separate that AD admin would have to keep
secret and not share any of those AD credentials you would
normally use in IPA to add such a trust.

many thanks, L.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org

To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org

Hi,


it is possible to use a shared secret instead of the AD admin 
credentials when establishing the trust:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/trust-during#create-trust-shared-secret


Does this address your concern?
Flo


That might be exactly it!
I'm trying "one way" and while the command succeeded I saw this:
...
Domain Security Identifier: S-1-5-21-3110176660-1847390102-3050341588

  SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, 
S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5,
                          S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, 
S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13,
                          S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, 
S-1-5-18, S-1-5-19, S-1-5-20
  SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, 
S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5,
                          S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, 
S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13,
                          S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, 
S-1-5-18, S-1-5-19, S-1-5-20

  Trust direction: Trusting forest
  Trust type: Active Directory domain
  Trust status: Waiting for confirmation by remote side
  gidnumber: 1416100000

  ipantsecurityidentifier: 
S-1-5-21-690266907-396463273-2110627865-1004

  ipantsupportedencryptiontypes: 28
  ipanttrustdirection: 1
...

Now I'm trying to ssh to IPA as:

$ ssh a...@ad.priv.dom.local@10.1.1.1


but this fails as if the password was incorrect, which naturally is 
not true.

Is the problem "one way" trust?

One-way trust with a shared secret is not working currently. Either use
two-way trust with a shared secret or use admin credentials.

If you are interested in the details, just search mailing archives.

--
/ Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org






















					Reply via email to