On Wed, 17 Aug 2016, Jan Karásek wrote:
Hi,
please could somebody explain how and and with which account IPA is
accessing DC in IPA - AD trust scenario. Is is possible to simulate
with ldapsearch some query to AD with the same permission as IPA
server?
Depends on what trust we have. For two-way trust SSSD on IPA masters
uses host/[email protected] principal because we map it to a
SID with a special well-known RID 'Domain Computers' (-515) and attach
an MS-PAC record to the TGT issued for this service principal.
For one-way trust SSSD on IPA masters uses so-called TDO account. These
are special accounts in AD domains which look like a machine account
(FOO$) but instead use NetBIOS name of the trusted forest and have
specific attributes associated with it.
We have some issues with reading ldap object from AD and I would like
to simulate that from command line.
Simplest way is to do something like this on IPA master for one-way
trust:
# klist -kt /var/lib/sss/keytabs/<trust>.keytab
notice the principal name there, let's say it is NAME$@TRUST
# kinit -kt /var/lib/sss/keytabs/<trust>.keytab 'NAME$@TRUST'
# ldapsearch -H ad.dc -Y GSSAPI ....
For two-way trust it is enough to kinit as IPA master host principal:
# kinit -k
# ldapsearch -H ad.dc -Y GSSAPI ...
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
