subject:"\[Freeipa\-users\] Re\: AD Trust Types"

[Freeipa-users] Re: AD Trust Types

2021-06-15 Thread Alexander Bokovoy via FreeIPA-users


On ti, 15 kesä 2021, Ronald Wimmer via FreeIPA-users wrote:

On 15.06.21 08:42, Alexander Bokovoy via FreeIPA-users wrote:

[...]
Check the first link I gave. Only 'domain local' groups can include
members from "Accounts, Global groups, and Universal groups from other
forests and from external domains". Domain local groups, on the other
hand, can only be used inside the domain they defined.

Thus, such groups cannot be used over a trust to IPA.


I was not aware that only 'domain local' groups allow members from 
other forests and/or domains. I know that 'domain local' groups cannot 
be used in IPA.


The group my colleague created is a 'domain local' group although I 
told them many times not to create local groups because they cannot be 
used in IPA...


Thanks a lot for clarification. I think I do have a better picture now.

Is it true that the main use case for creating an 'external' trust is 
to establish a trust to just one domain of a forest?


On Active Directory side external trust is often used to perform a
shortcut in an authentication request processing. This is often needed
if you have a deep hierarchy of child domains in a forest and you only
want to have a trust to a specific child domain. This allows to avoid
going through parent domains' domain controllers for each Kerberos or
identity resolution request.

Another reason is that people often use external trust in a situation
where they have organizational barriers to set up a proper forest trust.

Both of these could apply to IPA to AD trust as well. As always, one
needs to carefully plan the deployment in advance, as external trust has
clear limitations.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: AD Trust Types

2021-06-15 Thread Ronald Wimmer via FreeIPA-users


On 15.06.21 08:42, Alexander Bokovoy via FreeIPA-users wrote:

[...]
Check the first link I gave. Only 'domain local' groups can include
members from "Accounts, Global groups, and Universal groups from other
forests and from external domains". Domain local groups, on the other
hand, can only be used inside the domain they defined.

Thus, such groups cannot be used over a trust to IPA.


I was not aware that only 'domain local' groups allow members from other 
forests and/or domains. I know that 'domain local' groups cannot be used 
in IPA.


The group my colleague created is a 'domain local' group although I told 
them many times not to create local groups because they cannot be used 
in IPA...


Thanks a lot for clarification. I think I do have a better picture now.

Is it true that the main use case for creating an 'external' trust is to 
establish a trust to just one domain of a forest?


Cheers,
Ronald
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: AD Trust Types

2021-06-15 Thread Alexander Bokovoy via FreeIPA-users

On ti, 15 kesä 2021, Ronald Wimmer via FreeIPA-users wrote:

On 15.06.21 07:39, Alexander Bokovoy via FreeIPA-users wrote:

On ma, 14 kesä 2021, Ronald Wimmer wrote:

On 14.06.21 13:37, Alexander Bokovoy wrote:

On ma, 14 kesä 2021, Ronald Wimmer via FreeIPA-users wrote:

On 12.06.21 13:08, Florence Renaud via FreeIPA-users wrote:

Hi,

please refer to External Trusts to Active Directory [1] from
WIndows Integration guide, it nicely explains the difference
between external trust and forest trust.

flo

[1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/active-directory-trust#ext-trust-to-ad

Sorry for my unspecific initial question. I did read the
documentation. As I understood it the external trust somehow
isolates the view on that particular domain.

If DomA_Trust is a normal one and DomB_Trust an external one I
cannot use DomB users in a DomA group for example, right? If
DomB trust was not external I could do that?

I think you need to start with Active Directory design and
documentation. In particular, group types in AD define who can be
included into them and how they can be consumed:
https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups

Type of trust between domains influences the use of groups but group
scopes are ultimate ones here.

When applying that to a trust between IPA and AD, remember that we only
have two trust types:

- forest trust: IPA domain is in a separate forest than any AD domain

- external trust: only immediately trusted AD domain users and groups
can be seen and used for authentication across the trust, there is no
transitivity into any other trust that this AD domain may have
anywhere else

In addition to that, while forest trust in itself is transitive to
domains in the trusting forest, there is no transitivity across all
trusting forests. If forest A trusts forest B and forest B trusts forest
C, there is no trust from forest A to any domain in forest C.

The same applies to groups from those forests as well, complicated by
the group scopes.

In our case IPA hast a trust to the forest root of domain A which
itself has a trust to domain B. IPA has an external trust to
domain B. With the AD management tool we are using I can put users
of domain B into a group of domain A.

What matters is where domain B is located. Is it part of the same forest
as domain A? Is it outside of forest A?

It is outside of forest A but forest A has a trust to it.

As I already said, forest trust is not transitive to other forest
trusts. So it does not count, a trust to B has to be explicitly created.

When I try to use that particular group (POSIX group that has the
AD group as its member) in a HBAC scenario I do get a permission
denied error.

It can be anything. This information does not give any chance to
understand why there is a problem.

At the moment I do have users of domain B in a group of domain A. I
cannot use that particular group in IPA. I think this could be because
I setup the IPA trust to domain B as external.

Check the first link I gave. Only 'domain local' groups can include
members from "Accounts, Global groups, and Universal groups from other
forests and from external domains". Domain local groups, on the other
hand, can only be used inside the domain they defined.

Thus, such groups cannot be used over a trust to IPA.

External trust to domain B was setup years ago when we were still
experimenting with IPA. So my first question is if the separate
trust to domain B is needed at all? (because there is a trust from
domain A to domain B on the AD side.) If yes I probably would not
want domain B trust to be an external one in my scenario, would I?

You need to decide what you want. ;) If A and B are in the same forest,
then you don't need an external trust to B from IPA side.

If I want to use users of domain B in a domain A group I will probably
have to set up a 'normal' trust to domain B and not an 'external' one.
Do you agree?

No. It does not matter. What matters is a group type. If you have group
members from outside your own forest, you can only use them in domain
local groups but these groups then cannot be used in other forests or
even within your own forests but in other domains. This is Active
Directory's design limitation.

What you could do is to have a trust in IPA to both forest A and a
domain B, then have IPA external groups that include individually
users/groups from A and B, then use IPA POSIX groups to include IPA
external groups. Those IPA POSIX groups then can be used to apply
permissions on IPA side.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

[Freeipa-users] Re: AD Trust Types

2021-06-15 Thread Ronald Wimmer via FreeIPA-users

On 15.06.21 07:39, Alexander Bokovoy via FreeIPA-users wrote:

On ma, 14 kesä 2021, Ronald Wimmer wrote:

On 14.06.21 13:37, Alexander Bokovoy wrote:

On ma, 14 kesä 2021, Ronald Wimmer via FreeIPA-users wrote:

On 12.06.21 13:08, Florence Renaud via FreeIPA-users wrote:

Hi,

please refer to External Trusts to Active Directory [1] from
WIndows Integration guide, it nicely explains the difference
between external trust and forest trust.

flo

[1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/active-directory-trust#ext-trust-to-ad

Sorry for my unspecific initial question. I did read the
documentation. As I understood it the external trust somehow
isolates the view on that particular domain.

If DomA_Trust is a normal one and DomB_Trust an external one I
cannot use DomB users in a DomA group for example, right? If DomB
trust was not external I could do that?

Type of trust between domains influences the use of groups but group
scopes are ultimate ones here.

When applying that to a trust between IPA and AD, remember that we only
have two trust types:

- forest trust: IPA domain is in a separate forest than any AD domain

The same applies to groups from those forests as well, complicated by
the group scopes.

In our case IPA hast a trust to the forest root of domain A which
itself has a trust to domain B. IPA has an external trust to domain B.
With the AD management tool we are using I can put users of domain B
into a group of domain A.

What matters is where domain B is located. Is it part of the same forest
as domain A? Is it outside of forest A?

It is outside of forest A but forest A has a trust to it.

When I try to use that particular group (POSIX group that has the AD
group as its member) in a HBAC scenario I do get a permission denied
error.

It can be anything. This information does not give any chance to
understand why there is a problem.

At the moment I do have users of domain B in a group of domain A. I
cannot use that particular group in IPA. I think this could be because I
setup the IPA trust to domain B as external.

External trust to domain B was setup years ago when we were still
experimenting with IPA. So my first question is if the separate trust
to domain B is needed at all? (because there is a trust from domain A
to domain B on the AD side.) If yes I probably would not want domain B
trust to be an external one in my scenario, would I?

You need to decide what you want. ;) If A and B are in the same forest,
then you don't need an external trust to B from IPA side.

If I want to use users of domain B in a domain A group I will probably
have to set up a 'normal' trust to domain B and not an 'external' one.
Do you agree?

Cheers,
Ronald
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: AD Trust Types

2021-06-14 Thread Alexander Bokovoy via FreeIPA-users