On Mon, Jun 2, 2014 at 4:55 AM, Sumit Bose <[email protected]> wrote: > On Fri, May 30, 2014 at 09:23:58PM -0300, tizo wrote: > > On Fri, May 30, 2014 at 6:40 PM, Dmitri Pal <[email protected]> wrote: > > > > > On 05/30/2014 05:00 PM, tizo wrote: > > > > > > > > > From: Alexander Bokovoy <abokovoy redhat com> > > > To: Sumit Bose <sbose redhat com> > > > Cc: freeipa-users redhat com > > > Subject: Re: [Freeipa-users] Trust services > > > Date: Thu, 29 May 2014 02:47:38 -0400 (EDT) > > > > > > ----- Original Message ----- > > > > On Wed, May 28, 2014 at 10:47:13AM -0300, tizo wrote: > > > > > I would like to know, if having configured trusts services between > > > FreeIPA > > > > > and Active Directory, allow AD users to authenticate in services > that > > > are > > > > > only configured to authenticate against FreeIPA. > > > > > > > > > > For example, having configured the trusts, if I have a mail server > > > that is > > > > > using FreeIPA as its authentication method, can a user A from > Active > > > > > Directory, who does not exist in FreeIPA, authenticate in the mail > > > server?. > > > > > > > > It depends a bit on how the users authenticate exactly because IPA > > > > offers Kerberos and LDAP authentication. > > > > > > > > Kerberos should work out of the box because thats one of the trusts > > > > components, trusting Kerberos tickets from the other domain/realm. > > > > > > > > For LDAP authentication you should be able to find the users from the > > > > trusted domain in the compat tree below > > > > cn=compat,dc=your,dc=ipa,dc=domain . To authenticate the user you can > > > > do a LDAP bind with the DN form the compat tree and the password > used in > > > > AD. > > > Please note that the latter is valid only for FreeIPA 3.3 and later. > > > FreeIPA 3.0 does not support authentication over LDAP in the compat > tree. > > > -- > > > / Alexander Bokovoy > > > > > > Ok. I will definitively use Kerberos. But looking at the diagram of > page > > > 22 in > > > > http://www.freeipa.org/images/1/1e/Devconf2013-linux-ad-integration-options.pdf > > > I see that SSSD in the GNU/Linux host is authenticating against both > Active > > > Directory and FreeIPA. Does the email server that I mentioned before, > have > > > to be configured in a similar way that SSSD in the GNU/Linux host of > the > > > example? Or is just enough that it is configured against the FreeIPA > > > Kerberos and nothing else?. > > > > > > > > > You configure client (SSSD) to point to IPA but it will discover that > IPA > > > is in trust relations and would know how to deal with tickets coming > from > > > AD side. > > > This is why there are two arrows. They show communication. > > > > > > > Ok. And what about a mail server?. We are planning to use Zimbra, and we > > want that users from both FreeIPA and AD use it. Could we just configure > it > > to authenticate against FreeIPA Kerberos?. Or do we have to make > something > > else?. > > If your question is about which domain the mail server shall join then > in general you can choose either AD or IPA because of the trust > relationship. Nevertheless I would recommend to join the IPA domain > because currently the support for IPA users accessing services in the > Active Directory domain is quite limited. > > If you question is about authentication users with their Kerberos > password via SSSD you just have to configure the IPA domain in > sssd.conf. As Dmitri said SSSD will figure out that there is a trust > relationship and will direct authentication request of AD users to a AD > DC. In general no additional configuration is needed. If you are seeing > issues please note the following. AD user are authenticate directly > against AD DC, the IPA server is not involved at all in the > authentication process because AD is the only authoritative source to > authenticate AD users. To be able find find an appropriate AD DC SSSD > uses DNS SRV records, i.e. DNS on the client running SSSD must be > configured to resolve records from the AD domains. By default SSSD on an > IPA client use the IPA server as DNS server and hence the IPA server was > able to create the trust it can be assumed that DNS on the IPA server is > configured correctly. > > To just check DNS you can call > > dig SRV _ldap._tcp.AD.DOMAIN > > (where you replace AD.DOMAIN with your AD DNS domain name) on the IPA > client. > > HTH > > Yes, it does helps. Thanks you Sumit, Alexander and Dmitri.
As for now, I just wanted to know about if there was possible for users from both systems to use the mail server. AFAICS from your responses, it can be possible. I will shortly start to test FreeIPA and to make some proofs of concept to demonstrate that our goals can be reached. At that time, I will probably come back here to ask some technical details. Again, thanks very much.
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
