thank you. We are experiencing problems with LDAP access from IPA servers in 
IPA-AD scenario with one-way trust (Win 2012). 

So for ldap access IPA uses the xyz$@domain special trust account. According my 
lab - this account is on the AD side considered as a member of Authenticated 
users group. By default Authenticated users are member of group Pre-Windows 
2000 Compatible Access, and this group have read permission on object type User 
and therefore IPA is able to read POSIX attributes from these objects. (tested 
in my lab environment) 

In our case - due to security team - there is no possibility for Authenticated 
users to read user's objects - and then IPA is unable to read objects from AD 
ldap. So we have situation, where kerberos works OK but we are not able to get 
POSIX attributes from ldap. 

This situation could have been solved by adding read permission directly to the 
IPA access account(TDO), but unfortunately it looks like it is not possible. 

Questions : 

1. Do the IPA depends on ability of Authenticated users group to access user's 
objects attributes ? 
2. Is it possible to setup some other "standard" service account for IPA access 
to AD ldap ? 

Thank you, 

From: "Alexander Bokovoy" <aboko...@redhat.com> 
To: "Jan Karásek" <jan.kara...@elostech.cz> 
Cc: freeipa-users@redhat.com 
Sent: Wednesday, August 17, 2016 4:12:28 PM 
Subject: Re: [Freeipa-users] IPA-AD ldap acces - account ? 

On Wed, 17 Aug 2016, Jan Karásek wrote: 
>please could somebody explain how and and with which account IPA is 
>accessing DC in IPA - AD trust scenario. Is is possible to simulate 
>with ldapsearch some query to AD with the same permission as IPA 
Depends on what trust we have. For two-way trust SSSD on IPA masters 
uses host/master.ipa.domain@IPA.DOMAIN principal because we map it to a 
SID with a special well-known RID 'Domain Computers' (-515) and attach 
an MS-PAC record to the TGT issued for this service principal. 

For one-way trust SSSD on IPA masters uses so-called TDO account. These 
are special accounts in AD domains which look like a machine account 
(FOO$) but instead use NetBIOS name of the trusted forest and have 
specific attributes associated with it. 

>We have some issues with reading ldap object from AD and I would like 
>to simulate that from command line. 

Simplest way is to do something like this on IPA master for one-way 

# klist -kt /var/lib/sss/keytabs/<trust>.keytab 

notice the principal name there, let's say it is NAME$@TRUST 

# kinit -kt /var/lib/sss/keytabs/<trust>.keytab 'NAME$@TRUST' 
# ldapsearch -H ad.dc -Y GSSAPI .... 

For two-way trust it is enough to kinit as IPA master host principal: 

# kinit -k 
# ldapsearch -H ad.dc -Y GSSAPI ... 

/ Alexander Bokovoy 
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to