On 08/26/2017 09:24 PM, Alexander Bokovoy via FreeIPA-users wrote:
> On la, 26 elo 2017, Sigbjorn Lie-Soland via FreeIPA-users wrote:
>> Hi list,
>>
>> I have an issue with an AD one-way trust to IPA, where the AD is
>> configured with a very specific set of ACL's on the various OUs where
>> the user accounts live. Authenticated Users cannot search for all users
>> in the AD LDAP directory. This is done as the AD is hosting a
>> multi-tenant environment, and there exists a requirement for different
>> customers accounts not to be visible by everyone.
>>
>> The issue for IPA is when SSSD is attempting to look up the users
>> details in AD via LDAP, using it's trust account
>> (cn=IPADOM$,cn=Users,dc=ad,dc=local). This trust account does not have
>> the required permissions to search for all the users in the AD LDAP
>> tree, the AD user is not found by SSSD, and is denied logon access.
>>
>> As the IPADOM$ account is a special trust account, it is not possible to
>> add this account to the AD group which is normally used to grant access
>> to service accounts to read the entire AD LDAP directory.
> It is possible to do that with Samba's net utility.
>
> Last year I wrote this solution for Red Hat Customer Portal:
> https://access.redhat.com/solutions/2536681
>
> Effectively, it has to be done this way:
> # net rpc group add trust-read-only -S w12.ad.test
> -UAdministrator%PASSWORD
> # net rpc group addmem trust-read-only 'IPAAD$' -S w12.ad.test
> -UAdministrator%PASSWORD
>
>
Excellent!
Just tested in our lab, and it worked beautifully! :)
Thank you!
BTW, I did search the KB at access.redhat.com, but I did not come across
this KB for some reason.
Regards,
Siggi
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
