On Fri, 31 Jul 2015, Dan Mossor wrote:
On 07/31/2015 10:08 AM, Sumit Bose wrote:
On Fri, Jul 31, 2015 at 09:23:53AM -0500, Dan Mossor wrote:
On 07/31/2015 02:52 AM, Sumit Bose wrote:

Thank you for the detailed analysis. I guess the 'server was
inaccessible' error is due to the fact that currently FreeIPA does not
have a global catalog, because Windows typically tries to get SIDs from
remote objects from the Global Catalog.

So, to those of y'all that operate in secure environments, what trick do you
use to fully integrate IPA and Active Directory?

With FreeIPA-4.2 the one-way trust feature is introduced. The main
difference to the current scheme is that with one-way trust the FreeIPA
server does not use its host credentials (host keytab) from the IPA
domain to access the AD DC but uses the trusted domain user
(IPADOM$@AD.DOMAIN) to access the AD DC. Since this is an object from
the AD domain it should be possible to assign the needed permissions to
this object.

Currently I have no idea how this can be solved with older version.
Maybe there is a toll on the Windows side which lets you add SIDs
manually into the "Access this computer from the network" policy? If
there is one you can try to add IPA-SID-515 (where you have to replace
IPA-SID by the IPA domain SID).



I didn't think the SID was even being evaluated - the authentication being
attempted was through Kerberos, which I uderstand only uses host keytabs,
not SIDs. Am I correct in this situation?

yes and no :-) The keytab is used to get a TGT and then a cross-realm
TGT from the IPA KDC. The IPA KDC will add a PAC to the TGTs which
contains additional authorization data including SIDs. The PAC is then
used on the Windows side to evaluate if access is granted or not.


Building on what you said regarding the one-way trust, I already have an IPA user in Active Directory that I created when I was initially setting this up as a synchronized domain instead of a trust.

There are two ways I can go here - I can either revert back to the password sync and replication, or somehow convince IPA to use that user for the trust relationship. I suspect it will impossible without a patch to use a user account instead of Kerberos for the trust, so that leaves going back to the replication setup.
The latter is impossible. You can try FreeIPA 4.2 with one-way trust
once it becomes available to your platform.

I've asked on this list two weeks ago if anyone is interested in seeing
FreeIPA 4.2 released for CentOS in a test repo before it comes via
official path after release of the next Red Hat Enterprise Linux update.
To day I received zero responses which leaves me puzzled.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to