On Wed, 17 Aug 2016, Jan Karásek wrote:

please could somebody explain how and and with which account IPA is
accessing DC in IPA - AD trust scenario. Is is possible to simulate
with ldapsearch some query to AD with the same permission as IPA
Depends on what trust we have. For two-way trust SSSD on IPA masters
uses host/master.ipa.domain@IPA.DOMAIN principal because we map it to a
SID with a special well-known RID 'Domain Computers' (-515) and attach
an MS-PAC record to the TGT issued for this service principal.

For one-way trust SSSD on IPA masters uses so-called TDO account. These
are special accounts in AD domains which look like a machine account
(FOO$) but instead use NetBIOS name of the trusted forest and have
specific attributes associated with it.

We have some issues with reading ldap object from AD and I would like
to simulate that from command line.

Simplest way is to do something like this on IPA master for one-way

# klist -kt /var/lib/sss/keytabs/<trust>.keytab

notice the principal name there, let's say it is NAME$@TRUST

# kinit -kt /var/lib/sss/keytabs/<trust>.keytab 'NAME$@TRUST'
# ldapsearch -H ad.dc -Y GSSAPI ....

For two-way trust it is enough to kinit as IPA master host principal:

# kinit -k
# ldapsearch -H ad.dc -Y GSSAPI ...

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to