Re: [Freeipa-users] FreeIPA with Active directory Read-only domain controller trust setup
On 30.3.2015 18:00, Dmitri Pal wrote: On 03/30/2015 11:12 AM, Srdjan Dutina wrote: Hi, I'm testing FreeIPA (v4.1.3, Centos 7) - AD (2012 R2) trust on branch site where only AD read-only domain controller (RODC) exists. I'm aware that for initial establishing of trust I need access to writable domain controller so IPA can add trust to AD domains and trusts. But after initial setup, can FreeIPA-AD trust continue to function with IPA access to RODC only? Should work. Will Kerberos authentication of AD users on IPA domain hosts work? In this case, FreeIPA server should have DNS forward zone configured with RODC as a forwarder to AD? It should not matter as long as the forwarder knows how to resolve all the DNS names. General advice is to pick nearest server if you have access to it and add couple other servers to enable fail-over (if the nearest server fails for some reason). -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA with Active directory Read-only domain controller trust setup
On Tue, 31 Mar 2015, Petr Spacek wrote: On 30.3.2015 18:00, Dmitri Pal wrote: On 03/30/2015 11:12 AM, Srdjan Dutina wrote: Hi, I'm testing FreeIPA (v4.1.3, Centos 7) - AD (2012 R2) trust on branch site where only AD read-only domain controller (RODC) exists. I'm aware that for initial establishing of trust I need access to writable domain controller so IPA can add trust to AD domains and trusts. But after initial setup, can FreeIPA-AD trust continue to function with IPA access to RODC only? Should work. Will Kerberos authentication of AD users on IPA domain hosts work? In this case, FreeIPA server should have DNS forward zone configured with RODC as a forwarder to AD? It should not matter as long as the forwarder knows how to resolve all the DNS names. General advice is to pick nearest server if you have access to it and add couple other servers to enable fail-over (if the nearest server fails for some reason). In general, user identity lookup for trusted AD users happens via IPA masters -- each IPA client would delegate lookup to IPA master and that one would use closest site discovered in AD to do the lookup. With authentication we are in a bit more complex situation. GSSAPI authentication assumes your Windows client comes already with a service ticket to an IPA client's service. The ticket is obtained by Windows client by first obtaining cross-realm TGT from AD DC and then using this TGT to ask for a service ticket from IPA master (KDC). The latter ticket is then presented to an IPA client's service. When AD user attempts to use their password directly, IPA client will be talking to a discovered AD DC to validate the password and authenticate the user. At this step discovery of AD DC for Kerberos purposes is not done based on site locality, SSSD still has some open ticket to do that if I remember correctly. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA with Active directory Read-only domain controller trust setup
Hi, I'm testing FreeIPA (v4.1.3, Centos 7) - AD (2012 R2) trust on branch site where only AD read-only domain controller (RODC) exists. I'm aware that for initial establishing of trust I need access to writable domain controller so IPA can add trust to AD domains and trusts. But after initial setup, can FreeIPA-AD trust continue to function with IPA access to RODC only? Will Kerberos authentication of AD users on IPA domain hosts work? In this case, FreeIPA server should have DNS forward zone configured with RODC as a forwarder to AD? AD users have cached passwords on RODC, so authentication is possible in case of WAN link failure. Thanks! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA with Active directory Read-only domain controller trust setup
On 03/30/2015 11:12 AM, Srdjan Dutina wrote: Hi, I'm testing FreeIPA (v4.1.3, Centos 7) - AD (2012 R2) trust on branch site where only AD read-only domain controller (RODC) exists. I'm aware that for initial establishing of trust I need access to writable domain controller so IPA can add trust to AD domains and trusts. But after initial setup, can FreeIPA-AD trust continue to function with IPA access to RODC only? Should work. Will Kerberos authentication of AD users on IPA domain hosts work? In this case, FreeIPA server should have DNS forward zone configured with RODC as a forwarder to AD? Can't help you here. Hopefully somone with DNS knowledge will chime but they might be gone for the day. AD users have cached passwords on RODC, so authentication is possible in case of WAN link failure. Thanks! -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project