Re: [Freeipa-users] FreeIPA trusts with 2003 R2
On Wed, 19 Jun 2013, Brian Lee wrote: Has anyone successfully set up trusts between 2003 R2 and FreeIPA? I noticed the documentation mentions 2008 R2 as a prerequisite. Unfortunately our organization has not completed the migration to 2008 R2 yet. I know, we're a little behind the curve on that, but fortunately Windows servers aren't my responsibility ;-) If the Kerberos realms are separate between Active Directory and FreeIPA, why does the domain controller need to be Windows 2008 R2 for an external trust? From what I understand, there is no difference in an external trust in Windows NT4, Active Directory 2003, 2008 R2 or Windows 2012. Please note that actual requirement is to have functional level 2008 or above, for cross-forest trusts. In our limited testing using functional level 2003 things did not work as expected. We didn't look deeper because functional level 2003 also lacks AES encryption and making it working with weaker encryption for TGT was to force downgrading encryption on IPA side, aside from unclear issues with RPC calls. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA trusts with 2003 R2
So as others have mentioned windows obviously isn't my area of focus here either, however we have this working with 2003r2, but I do notice odd behaviour with id returning odd results sometimes depending on what system I am logged in from or initial logins failing the first time and working the second time, would this be a result of 2003 trust vs 2008 trust? Aly On Wed, Jun 19, 2013 at 8:59 AM, Alexander Bokovoy aboko...@redhat.comwrote: On Wed, 19 Jun 2013, Brian Lee wrote: Has anyone successfully set up trusts between 2003 R2 and FreeIPA? I noticed the documentation mentions 2008 R2 as a prerequisite. Unfortunately our organization has not completed the migration to 2008 R2 yet. I know, we're a little behind the curve on that, but fortunately Windows servers aren't my responsibility ;-) If the Kerberos realms are separate between Active Directory and FreeIPA, why does the domain controller need to be Windows 2008 R2 for an external trust? From what I understand, there is no difference in an external trust in Windows NT4, Active Directory 2003, 2008 R2 or Windows 2012. Please note that actual requirement is to have functional level 2008 or above, for cross-forest trusts. In our limited testing using functional level 2003 things did not work as expected. We didn't look deeper because functional level 2003 also lacks AES encryption and making it working with weaker encryption for TGT was to force downgrading encryption on IPA side, aside from unclear issues with RPC calls. -- / Alexander Bokovoy __**_ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/**mailman/listinfo/freeipa-usershttps://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA trusts with 2003 R2
On 06/19/2013 09:05 AM, Aly Khimji wrote: We have managed to establish a FreeIPA / Windows 2003R2. However domain and forest functional level has to be set to max on that platform which i believe is 2003 anyways. I know when I was first attempting the trusts, on a new 2003r2 DC and the forest functional level was set to 2000, the trust wouldn't establish and with IPA and the process would die. Everything seems to be working so far, so I would also like to know as well if 2008 is a requirement 100%? We have not tested this extensively. As Alexander mentioned there might be issues. If you manage to set it up - great. If there are some glitches they might be related to 2003 vs 2008 but we can't say for sure without more investigation. If your testing reveals some reproducible issues we definitely want to know about them. Whether we would be able to fix them is yet another story. Thanks Aly On Wed, Jun 19, 2013 at 8:50 AM, Brian Lee brian_l...@jabil.com mailto:brian_l...@jabil.com wrote: Has anyone successfully set up trusts between 2003 R2 and FreeIPA? I noticed the documentation mentions 2008 R2 as a prerequisite. Unfortunately our organization has not completed the migration to 2008 R2 yet. I know, we're a little behind the curve on that, but fortunately Windows servers aren't my responsibility ;-) If the Kerberos realms are separate between Active Directory and FreeIPA, why does the domain controller need to be Windows 2008 R2 for an external trust? From what I understand, there is no difference in an external trust in Windows NT4, Active Directory 2003, 2008 R2 or Windows 2012. Thanks in advance for any input or experiences with this configuration! ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA trusts with 2003 R2
On Wed, 19 Jun 2013, Dmitri Pal wrote: On 06/19/2013 12:35 PM, Alexander Bokovoy wrote: On Wed, 19 Jun 2013, Aly Khimji wrote: So as others have mentioned windows obviously isn't my area of focus here either, however we have this working with 2003r2, but I do notice odd behaviour with id returning odd results sometimes depending on what system I am logged in from or initial logins failing the first time and working the second time, would this be a result of 2003 trust vs 2008 trust? Ok, so I have tried another time and went through Windows Server 2003 R2 setup again. You need to select domain functional level Windows Server 2003 and after that raise forest functional level to Windows Server 2003. Only in this case it will work, though without AES encryption (only RC4 encryption is available). See http://technet.microsoft.com/en-us/library/cc738822%28v=ws.10%29.aspx for Windows specifics. In order to raise forest functional level one needs to open 'Active Directory Domains and Trusts' snap-in and right-click on 'Active Directory Domains and Trusts' root in the left pane. Then select 'Raise forest functional level ...' and use Windows Server 2003 as the level to raise. After that you can try establishing trust from IPA side. Here is IPA behavior (the output corresponds to FreeIPA 3.2 but behavior should be the same in RHEL 6.4): # ipa trust-add ad.domain --admin Administrator --password Active directory domain administrator's password: ipa: ERROR: invalid 'AD domain controller': unsupported functional level (went and raised forest functional level) # ipa trust-add ad.domain --admin Administrator --password Active directory domain administrator's password: -- Added Active Directory trust for realm ad.domain -- Realm name: ad.domain Domain NetBIOS name: ADP Domain Security Identifier: S-1-5-21-426902846-1951547570-376736459 SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified Note that there will be all kinds of issues due to AES encryption keys are missing -- you would not be able to use IPA credentials to obtain Kerberos tickets against Windows services, for example. This whole experiment is rather of a limited value. But at least, log-in with PuTTY 0.62 works. Should we put this on wiki as a how to? Definitely. If nobody beats me through the night, adding it to http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup, I'll do it tomorrow. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA trusts with 2003 R2
hey guys, so at this point in time we haven't been having any issues, but I am not 100% if the odd issues we have been having have been related to 2003 vs 2008 issue when we joined our IPA server to the 2003r2 we got the following output [root@didmsvrua01 ~]# ipa trust-add --type=ad corpnonprd..com --admin Administrator --password Active directory domain administrator's password: -- Added Active Directory trust for realm CorpNonPrd..com -- Realm name: CorpNonPrd..com Domain NetBIOS name: CORPNONPRD Domain Security Identifier: S-1-5-21-417068303-3117552414-2168216644 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified [root@didmsvrua01 ~]# This looks slightly different than yours, does this look like a properly established trust? I don't' seem to have any issues in regards to AES, and trust users can log into clients however there are issues where the first attempt takes a long time to login to the point of timeout and the second one works Aly On Wed, Jun 19, 2013 at 12:47 PM, Alexander Bokovoy aboko...@redhat.comwrote: On Wed, 19 Jun 2013, Dmitri Pal wrote: On 06/19/2013 12:35 PM, Alexander Bokovoy wrote: On Wed, 19 Jun 2013, Aly Khimji wrote: So as others have mentioned windows obviously isn't my area of focus here either, however we have this working with 2003r2, but I do notice odd behaviour with id returning odd results sometimes depending on what system I am logged in from or initial logins failing the first time and working the second time, would this be a result of 2003 trust vs 2008 trust? Ok, so I have tried another time and went through Windows Server 2003 R2 setup again. You need to select domain functional level Windows Server 2003 and after that raise forest functional level to Windows Server 2003. Only in this case it will work, though without AES encryption (only RC4 encryption is available). See http://technet.microsoft.com/**en-us/library/cc738822%28v=ws.** 10%29.aspxhttp://technet.microsoft.com/en-us/library/cc738822%28v=ws.10%29.aspx for Windows specifics. In order to raise forest functional level one needs to open 'Active Directory Domains and Trusts' snap-in and right-click on 'Active Directory Domains and Trusts' root in the left pane. Then select 'Raise forest functional level ...' and use Windows Server 2003 as the level to raise. After that you can try establishing trust from IPA side. Here is IPA behavior (the output corresponds to FreeIPA 3.2 but behavior should be the same in RHEL 6.4): # ipa trust-add ad.domain --admin Administrator --password Active directory domain administrator's password: ipa: ERROR: invalid 'AD domain controller': unsupported functional level (went and raised forest functional level) # ipa trust-add ad.domain --admin Administrator --password Active directory domain administrator's password: --** Added Active Directory trust for realm ad.domain --** Realm name: ad.domain Domain NetBIOS name: ADP Domain Security Identifier: S-1-5-21-426902846-1951547570-**376736459 SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified Note that there will be all kinds of issues due to AES encryption keys are missing -- you would not be able to use IPA credentials to obtain Kerberos tickets against Windows services, for example. This whole experiment is rather of a limited value. But at least, log-in with PuTTY 0.62 works. Should we put this on wiki as a how to? Definitely. If nobody beats me through the night, adding it to http://www.freeipa.org/page/**Howto/IPAv3_AD_trust_setuphttp://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup, I'll do it tomorrow. -- / Alexander Bokovoy __**_ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/**mailman/listinfo/freeipa-usershttps://www.redhat.com/mailman/listinfo/freeipa-users ___
Re: [Freeipa-users] FreeIPA trusts with 2003 R2
On 06/19/2013 06:47 PM, Alexander Bokovoy wrote: On Wed, 19 Jun 2013, Dmitri Pal wrote: On 06/19/2013 12:35 PM, Alexander Bokovoy wrote: On Wed, 19 Jun 2013, Aly Khimji wrote: So as others have mentioned windows obviously isn't my area of focus here either, however we have this working with 2003r2, but I do notice odd behaviour with id returning odd results sometimes depending on what system I am logged in from or initial logins failing the first time and working the second time, would this be a result of 2003 trust vs 2008 trust? Ok, so I have tried another time and went through Windows Server 2003 R2 setup again. You need to select domain functional level Windows Server 2003 and after that raise forest functional level to Windows Server 2003. Only in this case it will work, though without AES encryption (only RC4 encryption is available). See http://technet.microsoft.com/en-us/library/cc738822%28v=ws.10%29.aspx for Windows specifics. In order to raise forest functional level one needs to open 'Active Directory Domains and Trusts' snap-in and right-click on 'Active Directory Domains and Trusts' root in the left pane. Then select 'Raise forest functional level ...' and use Windows Server 2003 as the level to raise. After that you can try establishing trust from IPA side. Here is IPA behavior (the output corresponds to FreeIPA 3.2 but behavior should be the same in RHEL 6.4): # ipa trust-add ad.domain --admin Administrator --password Active directory domain administrator's password: ipa: ERROR: invalid 'AD domain controller': unsupported functional level (went and raised forest functional level) # ipa trust-add ad.domain --admin Administrator --password Active directory domain administrator's password: -- Added Active Directory trust for realm ad.domain -- Realm name: ad.domain Domain NetBIOS name: ADP Domain Security Identifier: S-1-5-21-426902846-1951547570-376736459 SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified Note that there will be all kinds of issues due to AES encryption keys are missing -- you would not be able to use IPA credentials to obtain Kerberos tickets against Windows services, for example. This whole experiment is rather of a limited value. But at least, log-in with PuTTY 0.62 works. Should we put this on wiki as a how to? Definitely. If nobody beats me through the night, adding it to http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup, I'll do it tomorrow. The wiki page has been updated with this information. http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Trusts_and_Windows_Server_2003_R2 -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA trusts with 2003 R2
Great I basically said just advised that if they want to make all the IDM bells and whistles work with AD and Elevated access they need to move on from a 2k3 as its just not being supported upstream really. Thanks guys. On Wed, Jun 19, 2013 at 3:24 PM, Ana Krivokapic akriv...@redhat.com wrote: On 06/19/2013 06:47 PM, Alexander Bokovoy wrote: On Wed, 19 Jun 2013, Dmitri Pal wrote: On 06/19/2013 12:35 PM, Alexander Bokovoy wrote: On Wed, 19 Jun 2013, Aly Khimji wrote: So as others have mentioned windows obviously isn't my area of focus here either, however we have this working with 2003r2, but I do notice odd behaviour with id returning odd results sometimes depending on what system I am logged in from or initial logins failing the first time and working the second time, would this be a result of 2003 trust vs 2008 trust? Ok, so I have tried another time and went through Windows Server 2003 R2 setup again. You need to select domain functional level Windows Server 2003 and after that raise forest functional level to Windows Server 2003. Only in this case it will work, though without AES encryption (only RC4 encryption is available). See http://technet.microsoft.com/en-us/library/cc738822%28v=ws.10%29.aspx for Windows specifics. In order to raise forest functional level one needs to open 'Active Directory Domains and Trusts' snap-in and right-click on 'Active Directory Domains and Trusts' root in the left pane. Then select 'Raise forest functional level ...' and use Windows Server 2003 as the level to raise. After that you can try establishing trust from IPA side. Here is IPA behavior (the output corresponds to FreeIPA 3.2 but behavior should be the same in RHEL 6.4): # ipa trust-add ad.domain --admin Administrator --password Active directory domain administrator's password: ipa: ERROR: invalid 'AD domain controller': unsupported functional level (went and raised forest functional level) # ipa trust-add ad.domain --admin Administrator --password Active directory domain administrator's password: -- Added Active Directory trust for realm ad.domain -- Realm name: ad.domain Domain NetBIOS name: ADP Domain Security Identifier: S-1-5-21-426902846-1951547570-376736459 SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified Note that there will be all kinds of issues due to AES encryption keys are missing -- you would not be able to use IPA credentials to obtain Kerberos tickets against Windows services, for example. This whole experiment is rather of a limited value. But at least, log-in with PuTTY 0.62 works. Should we put this on wiki as a how to? Definitely. If nobody beats me through the night, adding it to http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup, I'll do it tomorrow. The wiki page has been updated with this information. http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Trusts_and_Windows_Server_2003_R2 -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users