On Tue, 16 Sep 2014, Greg Scott wrote:
I went through this thread:
but I have some more questions.
I have another situation where I need a one way AD trust. We have an
IPA domain with a bunch of Linux servers and an AD domain for the
corporate network. Typical scenario. We want IPA to trust AD but do
not want AD to trust IPA. Access is availalbe to administrator/root
accounts in both the AD and IPA domains.
The IPA server is RHEL 7 running the IPA bundled with RHEL - I think
that's IPA 3.3.5 right now?
Reading through the thread above, when we set up cross forest trusts
with this version, the IPA side does not yet have the equivalent of a
Windows Global Catalog. So even though it says it's a 2-way trust,
it's really not because IPA has no way to store the global catalog
copies of what it needs for Windows to trust IPA. So with the version
right now as it exists today, de-facto, IPA trusts AD, but AD has no
way to trust IPA yet because IPA doesn't have all the pieces in place.
So far so good. Here is the challenge.
The AD group at this site is concerned that with some future version of
IPA, since Windows already "thinks" it trusts IPA, that IPA will get
the correct components and that suddenly IPA users will be able to
authenticate in the AD domain. Ideally, they would like to set up an
official one way trust today so that future possibility never happens.
If that isn't possible, what other steps could they take to guard
against that future possibility?
Even when IPA implement GC support, nothing will change: by default any
user that has no explicit permission in ACLs, gets what is given to all
authenticated users, i.e. default read access. When GC is there all that
will change is that there will be ability to resolve IPA users on AD
side, thus allowing AD users to assign specific permissions to IPA
Quoting from the earlier thread:
global catalog support is being worked on. As soon as it is
implemented we will add more granularity to the way the trusts are
established and thus allow formal one way trusts
Is there a time frame for this? I know it's tough to give completion
dates and that's not what I'm asking for - just a feel for how active
the development is around global catalog support. Is this something
this site should expect in the next few months or is it 5+ years away
or somewhere in the middle? Is there a projected version number where
the support will land?
I have plans to move to one-way trusts in 4.3 or so, given the time to
implement necessary code changes. They are independent of GC support
which may or may not come at same time.
Given what we have in place today, what is the best way to handle the
situation where a site wants a one way trust but must set up a 2-way
trust now with only one side of the trust functional? I suppose it is
always possible in the future when all the pieces are in place to just
destroy the 2 way trust and re-create a one way trust, but by that
time, there will probably be lots of mapping between AD SIDs and Linux
UID/GID pairs and destroying and recreating the trust could make a
royal mess out of those. Would it be possible to modify an existing
2-way trust to only be a one-way trust when the time comes?
id ranges is what matters here and we don't destroy ID ranges when you
remove the trust. You can re-initiate the trust at that point without
breaking ID mapping.
/ Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project