Great ! Thank you very much. It works ! 


From: "Alexander Bokovoy" <> 
To: "Jan Karásek" <> 
Sent: Thursday, August 18, 2016 4:03:14 PM 
Subject: Re: [Freeipa-users] IPA-AD ldap acces - account ? 

On Thu, 18 Aug 2016, Jan Karásek wrote: 
>thank you. We are experiencing problems with LDAP access from IPA 
>servers in IPA-AD scenario with one-way trust (Win 2012). 
>So for ldap access IPA uses the xyz$@domain special trust account. 
>According my lab - this account is on the AD side considered as a 
>member of Authenticated users group. By default Authenticated users are 
>member of group Pre-Windows 2000 Compatible Access, and this group have 
>read permission on object type User and therefore IPA is able to read 
>POSIX attributes from these objects. (tested in my lab environment) 
>In our case - due to security team - there is no possibility for 
>Authenticated users to read user's objects - and then IPA is unable to 
>read objects from AD ldap. So we have situation, where kerberos works 
>OK but we are not able to get POSIX attributes from ldap. 
Create a group that could be granted such access, add TDO object there. 

>This situation could have been solved by adding read permission 
>directly to the IPA access account(TDO), but unfortunately it looks 
>like it is not possible. 
Why is it not possible? The account is in AD, one can always grant 
it more permissions there. 

>Questions : 
>1. Do the IPA depends on ability of Authenticated users group to access 
>user's objects attributes ? 
At the very least, yes. Otherwise you need to grant more permissions to 
the TDO account in AD, even though you cannot directly get access to the 
account from non-advanced UI view. However, even Samba 'net' utility 
works fine: 

1. Create a group in the forest root domain: 
# net rpc group add trust-rpc-readonly -S -UAdministrator%PASSWORD 

2. Add our TDO object to the group: 
# net rpc group addmem trust-rpc-readonly 'IPAAD$' -S 

3. Check that TDO oubject is part of the group 
# net rpc group members trust-read-only -S -UAdministrator%PASSWORD 

Now you can go to UI and assign specific privileges to the group. 

>2. Is it possible to setup some other "standard" service account for 
>IPA access to AD ldap ? 

>Thank you, 
>From: "Alexander Bokovoy" <> 
>To: "Jan Karásek" <> 
>Sent: Wednesday, August 17, 2016 4:12:28 PM 
>Subject: Re: [Freeipa-users] IPA-AD ldap acces - account ? 
>On Wed, 17 Aug 2016, Jan Karásek wrote: 
>>please could somebody explain how and and with which account IPA is 
>>accessing DC in IPA - AD trust scenario. Is is possible to simulate 
>>with ldapsearch some query to AD with the same permission as IPA 
>Depends on what trust we have. For two-way trust SSSD on IPA masters 
>uses host/master.ipa.domain@IPA.DOMAIN principal because we map it to a 
>SID with a special well-known RID 'Domain Computers' (-515) and attach 
>an MS-PAC record to the TGT issued for this service principal. 
>For one-way trust SSSD on IPA masters uses so-called TDO account. These 
>are special accounts in AD domains which look like a machine account 
>(FOO$) but instead use NetBIOS name of the trusted forest and have 
>specific attributes associated with it. 
>>We have some issues with reading ldap object from AD and I would like 
>>to simulate that from command line. 
>Simplest way is to do something like this on IPA master for one-way 
># klist -kt /var/lib/sss/keytabs/<trust>.keytab 
>notice the principal name there, let's say it is NAME$@TRUST 
># kinit -kt /var/lib/sss/keytabs/<trust>.keytab 'NAME$@TRUST' 
># ldapsearch -H ad.dc -Y GSSAPI .... 
>For two-way trust it is enough to kinit as IPA master host principal: 
># kinit -k 
># ldapsearch -H ad.dc -Y GSSAPI ... 
>/ Alexander Bokovoy 

>Manage your subscription for the Freeipa-users mailing list: 
>Go to for more info on the project 

/ Alexander Bokovoy 
Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to