On ke, 22 maalis 2017, Dan Dietterich wrote:
I am trying to understand if it is possible to NAT between a network
running Active Directory (AD) and a network running FreeIPA and have
one-way trust from FreeIPA to the AD.
My hypothesis is that it is not possible, for two reasons. First, I
understand that Kerberos uses several techniques (ip addresses in the
protocol, reverse DNS lookups) to make sure there is no "man in the
middle." The proxy is a man in the middle. Second, I understand that
FreeIPA retrieves the layout of domain controllers (DC) from the
initial AD DC it builds the trust with. The addresses returned are
valid in the AD network and are not translated into the FreeIPA
network. FreeIPA will not be able to route to those IP addresses.
I don't think this configuration will work. Specifically, discovery of
DCs closest to a client with CLDAP ping (done by all Windows clients and
SSSD) is required in Active Directory environment and indeed NATingn AD
network will not allow IPA masters to access AD DCs.
I have read about proxying Kerberos protocol over https
(https://web.mit.edu/kerberos/krb5-devel/doc/admin/https.html)
It is irrelevant here. Sure, IPA provides Kerberos proxy by default
already and you may use it but aside from Kerberos, we need access to
LDAP and DCE RPC services on AD side. These cannot be proxied in a sane
way.
I have read about proxying LDAP
(https://wiki.samba.org/index.php/OpenLDAP_as_proxy_to_AD)
Both 389-ds and OpenLDAP have backends to proxy LDAP requests to another
servers. However, this is not helpful in the case of AD because none of
those support proxying CLDAP (LDAP over UDP) which is key part of DC
discovery in AD. Also, there is no way to force such proxy to rewrite
addresses as you correctly noted.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
