On Sun, 22 Sep 2013, Fred van Zwieten wrote:
Well, as explained in this thread, the problem here is that we have an IPA
domain named "MYCOMP.EDU" _and_ an AD domain named "MYCOMP.EDU" as well.
Both have there own DNS servers. It's beyond the scope of this mail to
explain why we have named them exactly the same, and we do wish we didn't,
but this is the current situation. Migrating any of these to another domain
name would be the best solution but would involve quite a lot of work.

So now we have a bunch of SAMBA services running on RHEL6.4 boxes that are
IPA-clients and we would like to give the AD users access to them. How to
proceed? We cannot use an IPA - AD trust, because both domains have the
same name. We also cannot make the SAMBA services member of the AD domain,
because the server itself is an IPA-member and krb5.conf already points to
the IPA servers for domain MYCOMP.EDU.. Also /etc/resolv points to the DNS
services of IPA.

See my problem? If not, read the whole mail thread..
Now I see it. From the original thread it wasn't reall clear and as I
said in July, I'm not sure that configuration wed discussed at the time would 

It get's even more complicated. The AD "MYCOMP.EDU" domain has a trust with
an AD "OTHERCOMP.EDU" and users in "OTHERCOMP.EDU" must access resource in "
MYCOMP.EDU". There is a trust between the AD domain "MYCOMP.EDU" and the AD
domain "OTHERCOMP.EDU". This works. We have some shares on a NetApp filer
who is member of the AD domain "MYCOMP.EDU" and people from "OTHERCOMP.EDU"
can successfully access those shares (given correct group membership

Now, we would like to have peoply in the AD domains "OTHERCOMP.EDU" and "
MYCOMP.EDU" to access shares served by SAMBA services on RHEL64 machines
that are IPA clients in the IPA domain "MYCOMP.EDU".

As all out RHEL servers are IPA clients by default we also want the servers
running SAMBA to stay IPA-clients for system level central administration
of users, groups, sudo policies, hbac, etc.

Now, how to proceed:

I see 2 possible solutions (besides byting the bullet and name change one
of the MYCOMP domains):

Solution 1:
Create an intermediary domain. This gives the following trust relationships:

AD(OTHERCOMP.EDU) <--trusts-- AD(MYCOMP.EDU) <--trusts-- AD(
MYCOMP-INTERMEDIARY.EDU) <--trusts-- IPA(MYCOMP.EDU). I don't like this one
and I am not even sure it solves my problem. Another problem involves
adding to (virtual) Windows boxes to maintain this domain.
It wouldn't solve the problem since RHEL 6.4 version of FreeIPA does not
support more than forest root domain for trust purposes right now. So
only directly trusted domain in an AD forest would be seen and trusted.

Solution 2:
Make a SAMBA only domain. Make one of the SAMBA servers a PDC and one BDC.
Make a NT-4 style trust to the AD domain MYCOMP.EDU. NT-4 style to have no
Kerberos involvement as that is used for IPA. Also no DNS clashes as NT-4
style doesn't use DNS SRV records.

AD(OTHERCOMP.EDU) <--trusts-- AD(MYCOMP.EDU) <--nt-4-trusts--

Now, giving correct group memberships and all, users in
OTHERCOMP.EDUshould be able to access shares in MYCOMP-SAMBA.
If you get IPA's user/group database behind your Samba install (which is
currently not easy), and convince winbindd/smbd that a trusted domain is
actually NT4 style too, that might work. The latter is a bit handwavy
due to the way discovery is done in winbindd which might decide Kerberos
is preferred by the trusting party...

/ Alexander Bokovoy

Freeipa-users mailing list

Reply via email to