[Freeipa-users] Re: FreeIPA AD Trust with Samba4 ... is it possible?

Mon, 13 Aug 2018 06:52:19 -0700 

On ma, 13 elo 2018, Alexander Bokovoy via FreeIPA-users wrote:

On pe, 10 elo 2018, D Anderson via FreeIPA-users wrote:

Hello all,

I am confused by some of the conflicting documentation about whether
this is possible or not.  Almost all of the documentation/working
examples seem to use an actual Windows Domain Controller.  Specifically
the part on DNS , as the Samba4 internal DNS server has several know
limitations.

The documentation is only conflicting if you are using it in a
conflicting way.

What is your use case, in the first place?

You want to run Samba AD DC and establish a trust from it to FreeIPA?

For long time Samba AD DC lacked support for forest trust, thus it was
not possible to use it against FreeIPA. In 2015-17 Red Hat together with
SerNet worked on improvements in this area in Samba. The changes were
pushed out with various Samba releases but I'd recommend looking at
Samba 4.7+ -- at least that has all bugs we knew about fixed in Samba AD
DC based on Heimdal -- if you run the process from IPA side.

The choice of Kerberos library is important. Samba AD DC with MIT
Kerberos still is broken regarding trust to FreeIPA. The fixes went out
recently to SSSD 1.16.3 (released today) and Samba 4.9RC2. FreeIPA part
of changes is still not released as we were waiting on the other
upstream changes first and were busy finishing FreeIPA 4.7.0 release
too.

Ah, I spoke too early: MIT version of Samba AD DC is still lacking the
fixes needed to support trust to FreeIPA upstream. The patchset is on
review and needs few more fixes to tests as we are correcting the way
how trusted domain object's account credentials are salted in Kerberos.
These changes yet to be committed upstream.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/2Q4QWYVXUFAVI342QC33QP4DIM65CMQF/

Reply via email to