On Срд, 04 сне 2024, Aleksandr Sabirov via FreeIPA-users wrote:
Rob Crittenden wrote:
Aleksandr Sabirov via FreeIPA-users wrote:
> Alexander Bokovoy wrote:
> On Аўт, 03 сне 2024, Aleksandr Sabirov via FreeIPA-users wrote:
> Alexander Bokovoy wrote:
> On Аўт, 03 сне 2024, Aleksandr Sabirov via FreeIPA-users wrote:
> Alexander Bokovoy wrote:
> On Пят, 29 ліс 2024, Aleksandr Sabirov via FreeIPA-users wrote:
> I need a Linux client (using SSSD), joined to an AD domain, to be able to
authenticate to IPA users through trust relationships. This is not possible, am I
correct?
> So the scheme is:
> Linux AD client -> AD <-> IPA
> If that Linux client is enrolled into AD domain, it will be talking to
> AD DC, as I said, and then will be talking to IPA DC. This is only for
> authentication; identities will have to be fetched from AD DCs and they
> will not have that information because they couldn't retrieve it from
> IPA DCs.
> Sorry for spamming, but I would like to know. This is important information
for me.
> I answered your questions already. Sorry, I don't have time right now to
> respond more on this beyond what is already said.
> How then does a Windows 10 client located in MS AD successfully obtain
FreeIPA trusted domain information and successfully launch a user's IPA session?
> https://www.freeipa.org/page/Windows_authentication_against_FreeIPA#id1:
> ....
> Note also that the described configuration is not supported by FreeIPA
> development team and also is not supported by Red Hat Enterprise Linux
> Identity Management product. A work on making possible to login to
> Windows machines already enrolled into a trusted Active Directory
> forest is ongoing and is not available yet in any released FreeIPA
> version.
> ....
> This is not a supported setup and we have no time to look into it at the
> moment.
> So Windows AD client also can't log in under IdM accounts via trust
relationships?
> Sorry for my redundancy.
> I mean
> IdM <-> AD <- Windows 10
> Have you read the documentation?
https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html-sin...
rob
Yes, I have read it. But everything there is described in "abstract terms." I
want to know the specific names of the mechanisms that make it work that way.
What do Windows AD clients have that Linux clients don't, since Windows
can obtain users through trust relationships, but Linux cannot. --
Windows clients talk to AD DCs using DCE RPC calls and delegate to AD
DCs to talk to trusted domains' domain controllers. SSSD does not use
DCE RPC calls like Windows does. It only talks over LDAP to AD DCs and
uses Kerberos for authentication. In addition, SSSD AD provider does not
support for an IPA domain being a subdomain of a AD domain. This means
it cannot switch LDAP schema to IPA one when talking to IPA DC, even
when it could reach IPA DC and could authenticate to it (over two-way
trust).
If you need to know about Active Directory stuff, you can start with
MS-ADOD[1] and MS-AUTHOD[2] overview documents.
[1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adod
[2] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-authsod
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
