[Freeipa-users] cross domain trust between two IPA servers
Hi everyone, Is it possible to create a cross domain trust between two IPA servers? I would have thought FreeIPA would have dealt with this use case first rather than jump directly into integrating with AD. The reason for this is because your more likely to have satellite sites of Redhat servers you want to manage. Example of this is shown below. You require user details to be separated for two separate organizations that merge together. In the interim period or permanently you may want members data to be stored in the two separate Realms for either legal reasons or for company structure reasons (Management). As you do this quiet freqently with Microsoft AD environments when corporations merge or buy one another out. Or a parent company buys a smaller company but want to hook the two systems together with out merging them completely to keep the companies identity and major operations separate. Is there anyway to do this with two IPA servers? -- Johnathan Phan ox-consulting T: +44 (0)784 118 7080 j...@ox-consulting.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] cross domain trust between two IPA servers
On Tue, 2012-08-07 at 14:54 +0100, Johnathan Phan wrote: Hi everyone, Is it possible to create a cross domain trust between two IPA servers? I would have thought FreeIPA would have dealt with this use case first rather than jump directly into integrating with AD. Not yet, the reason we dealt with AD first is that there was more request for that use case. The reason for this is because your more likely to have satellite sites of Redhat servers you want to manage. Example of this is shown below. You require user details to be separated for two separate organizations that merge together. In the interim period or permanently you may want members data to be stored in the two separate Realms for either legal reasons or for company structure reasons (Management). As you do this quiet freqently with Microsoft AD environments when corporations merge or buy one another out. Or a parent company buys a smaller company but want to hook the two systems together with out merging them completely to keep the companies identity and major operations separate. Is there anyway to do this with two IPA servers? We are planning to add FreeIPA-FreeIPA trusts in due course, and a kerberos level trust between 2 IPA servers can be done with some manual work, but there are some details when it comes to providing identity to the other domain that are missing. (Although SSSD can be configured easily enough to use 2 separate FreeIPA domains if really needed). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] cross domain trust between two IPA servers
On Tue, 2012-08-07 at 16:36 +0100, Johnathan Phan wrote: Hi Simo, This document here implies that this does it. http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/Setting_Up_Cross_Realm_Authentication.html#basic-trust This document do not apply to Identity Management (FreeIPA in RHEL speak), it is for a classic Kerberos KDC. However it is a resonable guide to experiment with trusts. However during testing it does not behave as expected. Do you have any documentation on how SSSD can be configured so that when logging in on a server in a.example.com with a users that exists in the IPA server responsible for domain b.example.com can happen. Only based on the rights the group has in b.example.com. any reference material on how that could work will help me a long way. You should look into the fact SSSD can be defined to have multiple domains. This means tho that the 'receiving' machines need to be configured for both realms. This is one of the gotchas, given the current lack of actual integration, moving forward when we will have official integration manual configuration of a separate SSSD domain will not be necessary and group memberships will work better. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users