On Thu, 23 Apr 2020 at 12:45, Alexander Bokovoy <aboko...@redhat.com> wrote:
> On to, 23 huhti 2020, Natxo Asenjo via FreeIPA-users wrote: > >On Thu, Apr 23, 2020 at 8:47 AM Alexander Bokovoy <aboko...@redhat.com> > >wrote: > > > >> > >> Domain local groups are not visible through the forest trust, so they > >> cannot > >> be used in FreeIPA for access control means. > >> > >> Global groups can be used if they are security groups and not just > >> distribution groups. > >> > >> > >aha, thanks for this piece of information, I could not find it on the > >documentation (which is probably my entire fault ;-) ). > > > >Is this the reason why? > >https://docs.microsoft.com/en-us/windows/win32/ad/group-objects > > > >In that document, in the scope part: > > > >group scope group can be assigned > >permission in > >---------------- > >------------------------------------------------- > >universal any domain or forest > >global Member permissions can > be > >assigned in any domain > >domain local Member permissions can be > >assigned only within the same domain as the parent domain local group > > > > > >Is this the technical reason the Idm trusting forest cannot see the domain > >local groups? So we require global or universal groups? > > > >I need to justify some stuff to our AD people, that's why I ask ;-) > > It is covered in Microsoft documentation for Active Directory protocols. > > MS-AUTHSOD 1.1.1.4.1: > https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-authsod/597504d8-5408-4629-9d81-aab661e6c953 > MS-KILE > <https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-authsod/597504d8-5408-4629-9d81-aab661e6c953MS-KILE> > 3.3.5.7.3: > https://docs.microsoft.com/en-us/openspecs/windows_protocols/MS-KILE/e55ad922-4940-432d-a253-41919d6efd24 > MS-PAC > <https://docs.microsoft.com/en-us/openspecs/windows_protocols/MS-KILE/e55ad922-4940-432d-a253-41919d6efd24MS-PAC> > 4.1.2.1: > https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pac/6dd1b247-2a81-4450-8844-35fd5f3e7ac4 > > So *any* service ticket towards a service outside of the user's domain > will not have domain local groups in the PAC record, when issued by AD > DC. As a result, when SSSD on IPA client would be analyzing the PAC > record from user's Kerberos ticket, it will not have any domain local > groups mentioned there and they cannot be used to define access rights > outside of the domain. > Awesome. Thanks for this explanation, it really helps -- -- Groeten, natxo
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org