On Thu, 18 Aug 2016, Jan Karásek wrote:
Hi,
thank you. We are experiencing problems with LDAP access from IPA
servers in IPA-AD scenario with one-way trust (Win 2012).

So for ldap access IPA uses the xyz$@domain special trust account.
According my lab - this account is on the AD side considered as a
member of Authenticated users group. By default Authenticated users are
member of group Pre-Windows 2000 Compatible Access, and this group have
read permission on object type User and therefore IPA is able to read
POSIX attributes from these objects. (tested in my lab environment)

In our case - due to security team - there is no possibility for
Authenticated users to read user's objects - and then IPA is unable to
read objects from AD ldap. So we have situation, where kerberos works
OK but we are not able to get POSIX attributes from ldap.
Create a group that could be granted such access, add TDO object there.

This situation could have been solved by adding read permission
directly to the IPA access account(TDO), but unfortunately it looks
like it is not possible.
Why is it not possible? The account is in AD, one can always grant
it more permissions there.


Questions :

1. Do the IPA depends on ability of Authenticated users group to access
user's objects attributes ?
At the very least, yes. Otherwise you need to grant more permissions to
the TDO account in AD, even though you cannot directly get access to the
account from non-advanced UI view. However, even Samba 'net' utility
works fine:

1. Create a group in the forest root domain:
# net rpc group add trust-rpc-readonly -S w12.ad.test -UAdministrator%PASSWORD

2. Add our TDO object to the group:
# net rpc group addmem trust-rpc-readonly 'IPAAD$' -S w12.ad.test 
-UAdministrator%PASSWORD

3. Check that TDO oubject is part of the group
# net rpc group members trust-read-only -S w12.ad.test -UAdministrator%PASSWORD
AD\IPAAD$

Now you can go to UI and assign specific privileges to the group.

2. Is it possible to setup some other "standard" service account for
IPA access to AD ldap ?
No.


Thank you,
Jan



From: "Alexander Bokovoy" <aboko...@redhat.com>
To: "Jan Karásek" <jan.kara...@elostech.cz>
Cc: freeipa-users@redhat.com
Sent: Wednesday, August 17, 2016 4:12:28 PM
Subject: Re: [Freeipa-users] IPA-AD ldap acces - account ?

On Wed, 17 Aug 2016, Jan Karásek wrote:
Hi,

please could somebody explain how and and with which account IPA is
accessing DC in IPA - AD trust scenario. Is is possible to simulate
with ldapsearch some query to AD with the same permission as IPA
server?
Depends on what trust we have. For two-way trust SSSD on IPA masters
uses host/master.ipa.domain@IPA.DOMAIN principal because we map it to a
SID with a special well-known RID 'Domain Computers' (-515) and attach
an MS-PAC record to the TGT issued for this service principal.

For one-way trust SSSD on IPA masters uses so-called TDO account. These
are special accounts in AD domains which look like a machine account
(FOO$) but instead use NetBIOS name of the trusted forest and have
specific attributes associated with it.

We have some issues with reading ldap object from AD and I would like
to simulate that from command line.

Simplest way is to do something like this on IPA master for one-way
trust:

# klist -kt /var/lib/sss/keytabs/<trust>.keytab

notice the principal name there, let's say it is NAME$@TRUST

# kinit -kt /var/lib/sss/keytabs/<trust>.keytab 'NAME$@TRUST'
# ldapsearch -H ad.dc -Y GSSAPI ....

For two-way trust it is enough to kinit as IPA master host principal:

# kinit -k
# ldapsearch -H ad.dc -Y GSSAPI ...


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to