[Freeipa-devel] IPA to IPA trusts

2013-06-19 Thread Dmitri Pal
Hello,

I have a stupid idea.
We now have ability to make IPA trust AD and AD trust IPA. IPA pretends
that it is AD.
I wonder how hard it would be to setup the case when there are two IPA
servers that both pretending that they are AD talking to each other.
This might be a temp solution for IPA to IPA trusts until we do PADs.
It might be a temp solution for use cases like this
https://fedorahosted.org/freeipa/ticket/3742

I suspect that SSSD would have to be configured as if it is a member of
an AD domain trusting another AD domain for this to work :-)

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] IPA to IPA trusts

2013-06-19 Thread Alexander Bokovoy

On Thu, 20 Jun 2013, Dmitri Pal wrote:

Hello,

I have a stupid idea.
We now have ability to make IPA trust AD and AD trust IPA. IPA pretends
that it is AD.
I wonder how hard it would be to setup the case when there are two IPA
servers that both pretending that they are AD talking to each other.

This is the plan -- we want to reuse all the work for AD trusts to build
up IPA to IPA trusts: SIDs, SSSD providers. However, we are not there
yet (see below).


This might be a temp solution for IPA to IPA trusts until we do PADs.
It might be a temp solution for use cases like this
https://fedorahosted.org/freeipa/ticket/3742

We need to implement GC service server side.

Additionally, we haven't yet implemented fully part of the trust
procedure in smbd according to the spec, we rely on AD performing that
part for us. Without real AD right now we'd have to know much more about
the other side.


--
/ Alexander Bokovoy

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel