On pe, 05 helmi 2021, Rik Theys via FreeIPA-users wrote:
Hi,
We are currently evaluating FreeIPA (again) for our environment. Our
IPA has one-way trusts with two AD domains from two different forests.
Most things seem to be working ok so far.
I'm now looking into setting up a samba server on an IPA-joined machine
following the instructions in the documentation. This works okay for
kerberos authentication (as documented), but not (yet) for
username/password authentication.
Is this something that is being worked on? Is it on the roadmap for a
specific version? Is it technically impossible?
Please look at previous discussions on this list.
For example,
https://lists.fedorahosted.org/archives/list/[email protected]/message/HNAKU7JNMXVIOIUWCSJZJZDY3WJJFA5U/
It seems that we are in a situation where none of the direct/indirect
options seem to work for us :-(.
- direct integration with sssd does not support one-way AD trusts from
different forests
- direct integration with winbind also does not seem to support one-way
AD trusts from different forests as it seems to try to use the machine
credentials to connect to the domain controllers of the trusted domain
but this fails as there is no trust in the other direction. I hoped
this would work with idmap_rid but that does not seem to be the case?
You are mixing up identity mapping methods which are independent of
trusted domains' handling in winbindd. These are at different layers and
aren't directly related. winbindd has a bug where internal operations
across multiple trusted domains (whether directly or via others) aren't
fully asynchronous. As a result, in some scenarios an attempt to resolve
a DC name and contact it for some trusted domain might block other
operations related to the same forest. That leads to a timeout that is
then interpreted as the whole domain is offline and thus rejecting some
upper layer requests.
While it is visible in the case you have more than one domain in a
trusted forest with a lot of DCs across multiple locations that aren't
easily reachable, it can also affect non-IPA use case and we saw such
reports for a basic file server too, like in this thread on
samba-technical@ upstream:
https://lists.samba.org/archive/samba-technical/2021-January/136246.html
A comprehensive fix was worked on in
https://gitlab.com/samba-team/samba/-/merge_requests/1573 but it got
stalled late last year for various reasons.
On top of that, IPA was not correctly supplying topology information to
winbindd where required which led it to attempt to contact trusted
domains it couldn't talk to as it missed trusted object credentials
towards those domains. This is partially fixed in FreeIPA 4.9.1 as we
now store the binary blob expected by winbind and return it properly but
still there is something preventing winbindd to reuse it. This is due to
IPA Samba integration being a Frankenstein-like mixture of a traditional
NT domain controller and Active Directory domain controller but not
fully the latter. I am working at the moment on fixing this, though it
will most likely take more time to get it fully addressed than I
expected.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
