thank you. We are experiencing problems with LDAP access from IPA servers in
IPA-AD scenario with one-way trust (Win 2012).
So for ldap access IPA uses the xyz$@domain special trust account. According my
lab - this account is on the AD side considered as a member of Authenticated
users group. By default Authenticated users are member of group Pre-Windows
2000 Compatible Access, and this group have read permission on object type User
and therefore IPA is able to read POSIX attributes from these objects. (tested
in my lab environment)
In our case - due to security team - there is no possibility for Authenticated
users to read user's objects - and then IPA is unable to read objects from AD
ldap. So we have situation, where kerberos works OK but we are not able to get
POSIX attributes from ldap.
This situation could have been solved by adding read permission directly to the
IPA access account(TDO), but unfortunately it looks like it is not possible.
1. Do the IPA depends on ability of Authenticated users group to access user's
objects attributes ?
2. Is it possible to setup some other "standard" service account for IPA access
to AD ldap ?
From: "Alexander Bokovoy" <aboko...@redhat.com>
To: "Jan Karásek" <jan.kara...@elostech.cz>
Sent: Wednesday, August 17, 2016 4:12:28 PM
Subject: Re: [Freeipa-users] IPA-AD ldap acces - account ?
On Wed, 17 Aug 2016, Jan Karásek wrote:
>please could somebody explain how and and with which account IPA is
>accessing DC in IPA - AD trust scenario. Is is possible to simulate
>with ldapsearch some query to AD with the same permission as IPA
Depends on what trust we have. For two-way trust SSSD on IPA masters
uses host/master.ipa.domain@IPA.DOMAIN principal because we map it to a
SID with a special well-known RID 'Domain Computers' (-515) and attach
an MS-PAC record to the TGT issued for this service principal.
For one-way trust SSSD on IPA masters uses so-called TDO account. These
are special accounts in AD domains which look like a machine account
(FOO$) but instead use NetBIOS name of the trusted forest and have
specific attributes associated with it.
>We have some issues with reading ldap object from AD and I would like
>to simulate that from command line.
Simplest way is to do something like this on IPA master for one-way
# klist -kt /var/lib/sss/keytabs/<trust>.keytab
notice the principal name there, let's say it is NAME$@TRUST
# kinit -kt /var/lib/sss/keytabs/<trust>.keytab 'NAME$@TRUST'
# ldapsearch -H ad.dc -Y GSSAPI ....
For two-way trust it is enough to kinit as IPA master host principal:
# kinit -k
# ldapsearch -H ad.dc -Y GSSAPI ...
/ Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project