On Sun, 19 Oct 2014, Genadi Postrilko wrote:
Hello all !

I am working on integrating IPA in a Microsoft dominated organization.
After playing around with Cross forest trust and Directory server
synchronization
i came to the conclusion that Trust is the right way to go. Because it
involves less configuration on AD side and its the direction
the development community is focusing on.

As i started discussing with AD administrators team, they expressed their
concerns on the two-way trust needed.

I have found the following thread in the freeipa archives:
https://www.redhat.com/archives/freeipa-users/2012-June/msg00206.html
where Simo Sorce explained why the two way trust is necessary.

But then this thread appeared:
https://www.redhat.com/archives/freeipa-users/2014-September/msg00276.html

The discussion in the thread helped me *a lot* (especially the summary
https://www.redhat.com/archives/freeipa-users/2014-September/msg00303.html)
to explain the AD team why two-way trust is necessary and *not *a security
risk.

After convincing them that two-way trust in necessary, they still have put
up a demand that the out-going AD->IPA trust authentication will be
configured as *Selective **authentication.*

Selective authentication is described as follows:
*"Windows will not automatically authenticate users form the specified
forest for any resources in the local forest. After you close this dialog.
grant individual access to each domain and server that you want to make
available to users in the specified forest."*

While the default is Forest- wide authentication:

*"Windows will automatically athenticate users from the specified forest
for the recourses in the local forest."*


Can this be done? Or it will break how IPA operates the trust?
I haven't tried it and my understanding is that it will break badly for
the same reason why AD->IPA trust path is required today but is not
presenting a security risk: as IPA side does not provide a way for AD to
map SIDs to user/group names, Windows management tools will not be able
to provide means to grant actual access rights to IPA principals.

We need to get host/ipa.master and HTTP/ipa.master principals to get
authenticated read only access to AD DC and LDAP servers. The problem
with granting this access in 'Selective authentication' case will
prevent the trust from working.

We are planning on implementing one-way trust in near future but it is
not there yet.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to