Thank you for you're comment/answer. I will do a search for earlier comments, I have noticed your name in discussions regarding this topic.
I am not entirely sure what security benefits MS-PAC has, over no PAC/PAD at all, besides offloading the directory-servers. If you really trust (or control) the other REALM, impersonation-attacks should not be a problem. If they choose to trust you, well, it is their security-problem, not yours. If you have time between the moments while you travel, might you lend us our opinion on the following setup: We have four realms in play in our setup: EXAMPLE.COM (IPA/IdM) LAB.EXAMPLE.COM (IPA/IdM) SAD.EXAMPLE.COM (Samba-based Active Directory) MAD.EXAMPLE.COM (Microsoft-based Active Directory) My hope is to achieve the following: LAB.EXAMPLE.COM will have a one-way trust-relationship to EXAMPLE.COM (Users in EXAMPLE.COM will be trusted the LAB-realm). The three other realms LAB.EXAMPLE.COM, SAD.EXAMPLE.COM, MAD.EXAMPLE.COM will be a playground for trust between IPA and AD. Since our MAIN realm will not trust any other realm, I assume we don't risk any treats by turning of MS-PAC there? Though, I am not sure if there are other consequences that I haven't foreseen by doing that. (We don't have any windows-servers/services in production there) And it does work to turn off MS-PAC (switch to PAD) in one of the realms, for trust to behave as we expect (in any direction). At least in the test I made today between two IPA-based realms. Best Regards, Jostein Fossheim _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
