Great ! Thank you very much. It works !
From: "Alexander Bokovoy" <aboko...@redhat.com>
To: "Jan Karásek" <jan.kara...@elostech.cz>
Sent: Thursday, August 18, 2016 4:03:14 PM
Subject: Re: [Freeipa-users] IPA-AD ldap acces - account ?
On Thu, 18 Aug 2016, Jan Karásek wrote:
>thank you. We are experiencing problems with LDAP access from IPA
>servers in IPA-AD scenario with one-way trust (Win 2012).
>So for ldap access IPA uses the xyz$@domain special trust account.
>According my lab - this account is on the AD side considered as a
>member of Authenticated users group. By default Authenticated users are
>member of group Pre-Windows 2000 Compatible Access, and this group have
>read permission on object type User and therefore IPA is able to read
>POSIX attributes from these objects. (tested in my lab environment)
>In our case - due to security team - there is no possibility for
>Authenticated users to read user's objects - and then IPA is unable to
>read objects from AD ldap. So we have situation, where kerberos works
>OK but we are not able to get POSIX attributes from ldap.
Create a group that could be granted such access, add TDO object there.
>This situation could have been solved by adding read permission
>directly to the IPA access account(TDO), but unfortunately it looks
>like it is not possible.
Why is it not possible? The account is in AD, one can always grant
it more permissions there.
>1. Do the IPA depends on ability of Authenticated users group to access
>user's objects attributes ?
At the very least, yes. Otherwise you need to grant more permissions to
the TDO account in AD, even though you cannot directly get access to the
account from non-advanced UI view. However, even Samba 'net' utility
1. Create a group in the forest root domain:
# net rpc group add trust-rpc-readonly -S w12.ad.test -UAdministrator%PASSWORD
2. Add our TDO object to the group:
# net rpc group addmem trust-rpc-readonly 'IPAAD$' -S w12.ad.test
3. Check that TDO oubject is part of the group
# net rpc group members trust-read-only -S w12.ad.test -UAdministrator%PASSWORD
Now you can go to UI and assign specific privileges to the group.
>2. Is it possible to setup some other "standard" service account for
>IPA access to AD ldap ?
>From: "Alexander Bokovoy" <aboko...@redhat.com>
>To: "Jan Karásek" <jan.kara...@elostech.cz>
>Sent: Wednesday, August 17, 2016 4:12:28 PM
>Subject: Re: [Freeipa-users] IPA-AD ldap acces - account ?
>On Wed, 17 Aug 2016, Jan Karásek wrote:
>>please could somebody explain how and and with which account IPA is
>>accessing DC in IPA - AD trust scenario. Is is possible to simulate
>>with ldapsearch some query to AD with the same permission as IPA
>Depends on what trust we have. For two-way trust SSSD on IPA masters
>uses host/master.ipa.domain@IPA.DOMAIN principal because we map it to a
>SID with a special well-known RID 'Domain Computers' (-515) and attach
>an MS-PAC record to the TGT issued for this service principal.
>For one-way trust SSSD on IPA masters uses so-called TDO account. These
>are special accounts in AD domains which look like a machine account
>(FOO$) but instead use NetBIOS name of the trusted forest and have
>specific attributes associated with it.
>>We have some issues with reading ldap object from AD and I would like
>>to simulate that from command line.
>Simplest way is to do something like this on IPA master for one-way
># klist -kt /var/lib/sss/keytabs/<trust>.keytab
>notice the principal name there, let's say it is NAME$@TRUST
># kinit -kt /var/lib/sss/keytabs/<trust>.keytab 'NAME$@TRUST'
># ldapsearch -H ad.dc -Y GSSAPI ....
>For two-way trust it is enough to kinit as IPA master host principal:
># kinit -k
># ldapsearch -H ad.dc -Y GSSAPI ...
>/ Alexander Bokovoy
>Manage your subscription for the Freeipa-users mailing list:
>Go to http://freeipa.org for more info on the project
/ Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project