nice (and nice its in 6.4)


I need to read up on trusts.

However from limited experience in an AD forests with trusts they get very 
complex and the security can go bye bye.  Ive seen pen tests that come in from 
a trusted domain, using an account with too many privaledges a bad password in 
a poorly implimented AD get across to the root and rainbow the password table 
(and hence domain admin) via a trust of a well set up one...own AD own IPA.

"poorly" also of course windows admins dont understand IPA or linux and linux 
admins dont understand AD or windows both are really specialists of complex 
environments in their own right.  (Which cracks me up when I see adverts for 
linux gurus and must have 3 to 5 years experience with AD....and paying 
peanuts....doh....clueless).   So if inter-domian trusts are a problem just 
consider AD to IPA!

The advantage of a win and pass sync is its a very limited and controlable 
choke point. Indeed having winsync only capable of looking at one ou in AD 
means with your admins in a different ou its impossible for them to be mirrored 
into IPA....sort of high security by accident!


I guess its the age old battle between user usablity, their freedom and 
security....hackers really dont care....

So could I have a win/passsync to one AD and trusts to other  IPAs and ADs?

1.9 sssd will be back ported to rhel5?


Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


In addition to other comments I want to step back and give a bit of a
bigger picture.
1) Regardless of what approach you choose we recommend using the latest
available version at the moment of deployment.
2) There are two different approached to dealing with AD - sync or
trust. You need to chose what approach you want to use. Down the road
there might be some hybrid solutions but so far they are not supported.

Sync: available starting the beginning of the IPA life. It has some
limitations and we indeed had some issues with the corner cases that
Steve's environment has. They are not common but you have been warned

a) Trusts are targeting RHEL 6.4
b) There is no upgrade from Sync to Trust solution. If you want trusts
you need to upgrade what you have to 6.4 (or start over) and implement
trusts there and not do Sync.
c) To take advantage of trusts your clients must be SSSD 1.9.x otherwise
the trusts would not work. This also means that if you have other UNIXes
the trusts would not work there.

If you have UNIX clients that need to be accessed by AD users you might
explore some hybrid solutions that might work but we can't say for sure.
For example the sync might actually work in parallel to trusts to some
extent. There is also PAM pass through capability that comes with 6.4 as
a tech preview. That would allow  pass through LDAP auth for the non
SSSD 1.9 clients. But this needs to be tried out and there might be dragons.

========== armour is well singed if not a bit runny.......


Freeipa-users mailing list

Reply via email to