I am trying to understand if it is possible to NAT between a network running
Active Directory (AD) and a network running FreeIPA and have one-way trust from
FreeIPA to the AD.
My hypothesis is that it is not possible, for two reasons. First, I understand
that Kerberos uses several techniques (ip addresses in the protocol, reverse
DNS lookups) to make sure there is no "man in the middle." The proxy is a man
in the middle. Second, I understand that FreeIPA retrieves the layout of domain
controllers (DC) from the initial AD DC it builds the trust with. The addresses
returned are valid in the AD network and are not translated into the FreeIPA
network. FreeIPA will not be able to route to those IP addresses.
I have read about proxying Kerberos protocol over https
I have read about proxying LDAP
I do not know all of the protocols used to operate AD <-> FreeIPA trust, so I'm
not sure there is even software available to do such a thing.
Thanks for any insight!
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project