On Tue, 31 Mar 2015, Petr Spacek wrote:
On 30.3.2015 18:00, Dmitri Pal wrote:
On 03/30/2015 11:12 AM, Srdjan Dutina wrote:

I'm testing FreeIPA (v4.1.3, Centos 7) - AD (2012 R2) trust on branch site
where only AD read-only domain controller (RODC) exists.
I'm aware that for initial establishing of trust I need access to writable
domain controller so IPA can add trust to AD domains and trusts.
But after initial setup, can FreeIPA-AD trust continue to function with IPA
access to RODC only?

Should work.

Will Kerberos authentication of AD users on IPA domain hosts work?
In this case, FreeIPA server should have DNS forward zone configured with
RODC as a forwarder to AD?

It should not matter as long as the forwarder knows how to resolve all the DNS
names. General advice is to pick nearest server if you have access to it and
add couple other servers to enable fail-over (if the nearest server fails for
some reason).
In general, user identity lookup for trusted AD users happens via IPA
masters -- each IPA client would delegate lookup to IPA master and that
one would use closest site discovered in AD to do the lookup.

With authentication we are in a bit more complex situation. GSSAPI
authentication assumes your Windows client comes already with a service
ticket to an IPA client's service. The ticket is obtained by Windows
client by first obtaining cross-realm TGT from AD DC and then using this
TGT to ask for a service ticket from IPA master (KDC). The latter ticket
is then presented to an IPA client's service.

When AD user attempts to use their password directly, IPA client will be
talking to a discovered AD DC to validate the password and authenticate
the user. At this step discovery of AD DC for Kerberos purposes is not
done based on site locality, SSSD still has some open ticket to do that
if I remember correctly.
/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to