On Fri, Jul 31, 2015 at 09:23:53AM -0500, Dan Mossor wrote:
> On 07/31/2015 02:52 AM, Sumit Bose wrote:
> >
> >Thank you for the detailed analysis. I guess the 'server was
> >inaccessible' error is due to the fact that currently FreeIPA does not
> >have a global catalog, because Windows typically tries to get SIDs from
> >remote objects from the Global Catalog.
> >
> >>
> >>So, to those of y'all that operate in secure environments, what trick do you
> >>use to fully integrate IPA and Active Directory?
> >
> >With FreeIPA-4.2 the one-way trust feature is introduced. The main
> >difference to the current scheme is that with one-way trust the FreeIPA
> >server does not use its host credentials (host keytab) from the IPA
> >domain to access the AD DC but uses the trusted domain user
> >(IPADOM$@AD.DOMAIN) to access the AD DC. Since this is an object from
> >the AD domain it should be possible to assign the needed permissions to
> >this object.
> >
> >Currently I have no idea how this can be solved with older version.
> >Maybe there is a toll on the Windows side which lets you add SIDs
> >manually into the "Access this computer from the network" policy? If
> >there is one you can try to add IPA-SID-515 (where you have to replace
> >IPA-SID by the IPA domain SID).
> >
> >HTH
> >
> >bye,
> >Sumit
> >
> I didn't think the SID was even being evaluated - the authentication being
> attempted was through Kerberos, which I uderstand only uses host keytabs,
> not SIDs. Am I correct in this situation?

yes and no :-) The keytab is used to get a TGT and then a cross-realm
TGT from the IPA KDC. The IPA KDC will add a PAC to the TGTs which
contains additional authorization data including SIDs. The PAC is then
used on the Windows side to evaluate if access is granted or not.


> Dan
> -- 
> Dan Mossor, RHCSA
> Systems Engineer
> Fedora Server WG | Fedora KDE WG | Fedora QA Team
> Fedora Infrastructure Apprentice
> FAS: dmossor IRC: danofsatx
> San Antonio, Texas, USA

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to