Hi, Just to make clear: the scenario you are trying to set up is not supported. Any issues found in it, would not be fixed until we start working on IPA-IPA trust again. I am trying to point out that you are on your own with this approach at this point.
FreeIPA and RHEL IdM by extension are often used in critical infrastructure deployments. From my (developer) perspective, I cannot recommend a hacked up solution that knowingly degrades security of a deployed environment configuration. For why PAC enforcement is important, I would recommend you to read through Andrew Bartlett's talk at SambaXP'22: https://sambaxp.org/fileadmin/user_upload/sambaxp2022-Slides/Bartlett-Kerberos.pdf (there should be videos available too). On Tue, Feb 21, 2023 at 4:54 PM Jostein Fossheim via FreeIPA-users <[email protected]> wrote: > > Thank you for you're comment/answer. I will do a search for earlier comments, > I have noticed your name in discussions regarding this topic. > > I am not entirely sure what security benefits MS-PAC has, over no PAC/PAD at > all, besides offloading the directory-servers. If you really trust (or > control) the other REALM, impersonation-attacks should not be a problem. If > they choose to trust you, well, it is their security-problem, not yours. > > If you have time between the moments while you travel, might you lend us our > opinion on the following setup: > > > We have four realms in play in our setup: > > EXAMPLE.COM (IPA/IdM) > > LAB.EXAMPLE.COM (IPA/IdM) > SAD.EXAMPLE.COM (Samba-based Active Directory) > MAD.EXAMPLE.COM (Microsoft-based Active Directory) > > My hope is to achieve the following: > > LAB.EXAMPLE.COM will have a one-way trust-relationship to EXAMPLE.COM (Users > in EXAMPLE.COM will be trusted the LAB-realm). The three other realms > LAB.EXAMPLE.COM, SAD.EXAMPLE.COM, MAD.EXAMPLE.COM will be a playground for > trust between IPA and AD. > > Since our MAIN realm will not trust any other realm, I assume we don't risk > any treats by turning of MS-PAC there? Though, I am not sure if there are > other consequences that I haven't foreseen by doing that. (We don't have any > windows-servers/services in production there) And it does work to turn off > MS-PAC (switch to PAD) in one of the realms, for trust to behave as we expect > (in any direction). At least in the test I made today between two IPA-based > realms. > > Best Regards, > > Jostein Fossheim > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
