Great ! Thank you very much. It works ! Regards, Jan
From: "Alexander Bokovoy" <[email protected]> To: "Jan Karásek" <[email protected]> Cc: [email protected] Sent: Thursday, August 18, 2016 4:03:14 PM Subject: Re: [Freeipa-users] IPA-AD ldap acces - account ? On Thu, 18 Aug 2016, Jan Karásek wrote: >Hi, >thank you. We are experiencing problems with LDAP access from IPA >servers in IPA-AD scenario with one-way trust (Win 2012). > >So for ldap access IPA uses the xyz$@domain special trust account. >According my lab - this account is on the AD side considered as a >member of Authenticated users group. By default Authenticated users are >member of group Pre-Windows 2000 Compatible Access, and this group have >read permission on object type User and therefore IPA is able to read >POSIX attributes from these objects. (tested in my lab environment) > >In our case - due to security team - there is no possibility for >Authenticated users to read user's objects - and then IPA is unable to >read objects from AD ldap. So we have situation, where kerberos works >OK but we are not able to get POSIX attributes from ldap. Create a group that could be granted such access, add TDO object there. >This situation could have been solved by adding read permission >directly to the IPA access account(TDO), but unfortunately it looks >like it is not possible. Why is it not possible? The account is in AD, one can always grant it more permissions there. > >Questions : > >1. Do the IPA depends on ability of Authenticated users group to access >user's objects attributes ? At the very least, yes. Otherwise you need to grant more permissions to the TDO account in AD, even though you cannot directly get access to the account from non-advanced UI view. However, even Samba 'net' utility works fine: 1. Create a group in the forest root domain: # net rpc group add trust-rpc-readonly -S w12.ad.test -UAdministrator%PASSWORD 2. Add our TDO object to the group: # net rpc group addmem trust-rpc-readonly 'IPAAD$' -S w12.ad.test -UAdministrator%PASSWORD 3. Check that TDO oubject is part of the group # net rpc group members trust-read-only -S w12.ad.test -UAdministrator%PASSWORD AD\IPAAD$ Now you can go to UI and assign specific privileges to the group. >2. Is it possible to setup some other "standard" service account for >IPA access to AD ldap ? No. > >Thank you, >Jan > > > >From: "Alexander Bokovoy" <[email protected]> >To: "Jan Karásek" <[email protected]> >Cc: [email protected] >Sent: Wednesday, August 17, 2016 4:12:28 PM >Subject: Re: [Freeipa-users] IPA-AD ldap acces - account ? > >On Wed, 17 Aug 2016, Jan Karásek wrote: >>Hi, >> >>please could somebody explain how and and with which account IPA is >>accessing DC in IPA - AD trust scenario. Is is possible to simulate >>with ldapsearch some query to AD with the same permission as IPA >>server? >Depends on what trust we have. For two-way trust SSSD on IPA masters >uses host/[email protected] principal because we map it to a >SID with a special well-known RID 'Domain Computers' (-515) and attach >an MS-PAC record to the TGT issued for this service principal. > >For one-way trust SSSD on IPA masters uses so-called TDO account. These >are special accounts in AD domains which look like a machine account >(FOO$) but instead use NetBIOS name of the trusted forest and have >specific attributes associated with it. > >>We have some issues with reading ldap object from AD and I would like >>to simulate that from command line. > >Simplest way is to do something like this on IPA master for one-way >trust: > ># klist -kt /var/lib/sss/keytabs/<trust>.keytab > >notice the principal name there, let's say it is NAME$@TRUST > ># kinit -kt /var/lib/sss/keytabs/<trust>.keytab 'NAME$@TRUST' ># ldapsearch -H ad.dc -Y GSSAPI .... > >For two-way trust it is enough to kinit as IPA master host principal: > ># kinit -k ># ldapsearch -H ad.dc -Y GSSAPI ... > > >-- >/ Alexander Bokovoy >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
