[Freeipa-users] Re: Is IPA-AD two-way trust really two-way?
Hi all, Thanks! This explains a lot, I'm happy :) Winfried Alexander Bokovoy via FreeIPA-users schreef op 26-10-2018 11:16: On pe, 26 loka 2018, Winfried de Heiden wrote: Hi all, Refering to this bit of older post, What now the difference between a One-way or Two-Way Trust anyway? The docs are not too clear abut it: " Two-way trust enables AD users and groups to access resources in IdM. However, the two-way trust in IdM does not give the users any additional rights compared to the one-way trust solution in AD. Both solutions are considered equally secure because of default cross-forest trust SID filtering settings" What a use-case for using a Two-Way Trust? (since Windows cannot use IPA as a AD replacement) Originally we implemented two-way trust first because it was easier to do than one-way trust from technical perspective. It allowed machines from IPA domain to directly query AD DCs about needed information using their own host/... Kerberos principals for authentication purposes. However, a lot of customers were concerned with with AD trusting IPA because it wasn't how AD domain controllers resolved identities (and ran authentication proxying) over trust. We implemented one-way trust with a proper setup and actually moved to always use the credentials one-way-like in two-way trust too with FreeIPA 4.6/latest SSSD 1.15/1.16. However, there is one missing part for a one-way trust: a one-way trust with a shared secret. If you are using a shared secret that is provided to you by AD admins (as opposed to be generated by 'ipa trust-add' automatically), one-way trust cannot be established. A long story short, both FreeIPA and SSSD lacked required logic to allow Windows to perform validation of the trust in this case from a Windows UI and we couldn't initiate the validation from IPA side as we didn't have administrative credentials to AD DCs. So right now two-way trust with a shared secret is your solution for this case, although I'd rather suggest to establish a normal one-way trust with AD admin credentials to get a stronger trust secret generated for you by 'ipa trust-add'. Winfried -Oorspronkelijk bericht- Van: Alexander Bokovoy via FreeIPA-users Antwoord-naar: FreeIPA users list Aan: FreeIPA users list Cc: Michal Sladek , Alexander Bokovoy Onderwerp: [Freeipa-users] Re: Is IPA-AD two-way trust really two-way? Datum: Thu, 23 Aug 2018 12:08:17 +0300 On to, 23 elo 2018, Michal Sladek via FreeIPA-users wrote: Hello, I would like to use IPA server in heterogeneous environment with Linux servers and Windows workstations.IPA domain would be used as a primary source of users and groups.AD domain would be used for management of Widows hosts only (group policies etc.). I have setup a test network with two-trust between AD and IPA domainand realized, that IPA domain sees AD users but AD domain doesn't seeIPA users. Am I missing something or the two-way trust is not two-wayin fact?It is two-way in principle. However, FreeIPA does not implement featuresrequired by AD DC to resolve IPA users on Windows workstations. It is onour long term roadmap. -- / Alexander BokovoySr. Principal Software EngineerSecurity / Identity Management EngineeringRed Hat Limited, Finland___FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.orgTo unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.orgFedora Code of Conduct: https://getfedora.org/code-of-conduct.htmlList Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelinesList Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/OJCXN7VI2NZAUWUHVZDKEZB7SF72NSR2/ ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Is IPA-AD two-way trust really two-way?
On pe, 26 loka 2018, Winfried de Heiden wrote: Hi all, Refering to this bit of older post, What now the difference between a One-way or Two-Way Trust anyway? The docs are not too clear abut it: " Two-way trust enables AD users and groups to access resources in IdM. However, the two-way trust in IdM does not give the users any additional rights compared to the one-way trust solution in AD. Both solutions are considered equally secure because of default cross-forest trust SID filtering settings" What a use-case for using a Two-Way Trust? (since Windows cannot use IPA as a AD replacement) Originally we implemented two-way trust first because it was easier to do than one-way trust from technical perspective. It allowed machines from IPA domain to directly query AD DCs about needed information using their own host/... Kerberos principals for authentication purposes. However, a lot of customers were concerned with with AD trusting IPA because it wasn't how AD domain controllers resolved identities (and ran authentication proxying) over trust. We implemented one-way trust with a proper setup and actually moved to always use the credentials one-way-like in two-way trust too with FreeIPA 4.6/latest SSSD 1.15/1.16. However, there is one missing part for a one-way trust: a one-way trust with a shared secret. If you are using a shared secret that is provided to you by AD admins (as opposed to be generated by 'ipa trust-add' automatically), one-way trust cannot be established. A long story short, both FreeIPA and SSSD lacked required logic to allow Windows to perform validation of the trust in this case from a Windows UI and we couldn't initiate the validation from IPA side as we didn't have administrative credentials to AD DCs. So right now two-way trust with a shared secret is your solution for this case, although I'd rather suggest to establish a normal one-way trust with AD admin credentials to get a stronger trust secret generated for you by 'ipa trust-add'. Winfried -Oorspronkelijk bericht- Van: Alexander Bokovoy via FreeIPA-users Antwoord-naar: FreeIPA users list Aan: FreeIPA users list Cc: Michal Sladek , Alexander Bokovoy Onderwerp: [Freeipa-users] Re: Is IPA-AD two-way trust really two-way? Datum: Thu, 23 Aug 2018 12:08:17 +0300 On to, 23 elo 2018, Michal Sladek via FreeIPA-users wrote: Hello, I would like to use IPA server in heterogeneous environment with Linux servers and Windows workstations.IPA domain would be used as a primary source of users and groups.AD domain would be used for management of Widows hosts only (group policies etc.). I have setup a test network with two-trust between AD and IPA domainand realized, that IPA domain sees AD users but AD domain doesn't seeIPA users. Am I missing something or the two-way trust is not two-wayin fact?It is two-way in principle. However, FreeIPA does not implement featuresrequired by AD DC to resolve IPA users on Windows workstations. It is onour long term roadmap. -- / Alexander BokovoySr. Principal Software EngineerSecurity / Identity Management EngineeringRed Hat Limited, Finland___FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.orgTo unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.orgFedora Code of Conduct: https://getfedora.org/code-of-conduct.htmlList Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelinesList Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/OJCXN7VI2NZAUWUHVZDKEZB7SF72NSR2/ -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Is IPA-AD two-way trust really two-way?
Hi all, Refering to this bit of older post, What now the difference between a One-way or Two-Way Trust anyway? The docs are not too clear abut it: " Two-way trust enables AD users and groups to access resources in IdM. However, the two-way trust in IdM does not give the users any additional rights compared to the one-way trust solution in AD. Both solutions are considered equally secure because of default cross-forest trust SID filtering settings" What a use-case for using a Two-Way Trust? (since Windows cannot use IPA as a AD replacement) Winfried -Oorspronkelijk bericht- Van: Alexander Bokovoy via FreeIPA-users Antwoord-naar: FreeIPA users list Aan: FreeIPA users list Cc: Michal Sladek , Alexander Bokovoy Onderwerp: [Freeipa-users] Re: Is IPA-AD two-way trust really two-way? Datum: Thu, 23 Aug 2018 12:08:17 +0300 On to, 23 elo 2018, Michal Sladek via FreeIPA-users wrote: Hello, I would like to use IPA server in heterogeneous environment with Linux servers and Windows workstations.IPA domain would be used as a primary source of users and groups.AD domain would be used for management of Widows hosts only (group policies etc.). I have setup a test network with two-trust between AD and IPA domainand realized, that IPA domain sees AD users but AD domain doesn't seeIPA users. Am I missing something or the two-way trust is not two-wayin fact?It is two-way in principle. However, FreeIPA does not implement featuresrequired by AD DC to resolve IPA users on Windows workstations. It is onour long term roadmap. -- / Alexander BokovoySr. Principal Software EngineerSecurity / Identity Management EngineeringRed Hat Limited, Finland___FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.orgTo unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.orgFedora Code of Conduct: https://getfedora.org/code-of-conduct.htmlList Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelinesList Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/OJCXN7VI2NZAUWUHVZDKEZB7SF72NSR2/ signature.asc Description: This is a digitally signed message part ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Is IPA-AD two-way trust really two-way?
Thanks a lot for your information! You saved me a lot of time... Best regards Michal ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/B3X23TLXNOQUG5KBBPYS7FSG7AUPVTUH/
[Freeipa-users] Re: Is IPA-AD two-way trust really two-way?
On to, 23 elo 2018, Michal Sladek via FreeIPA-users wrote: Hello, I would like to use IPA server in heterogeneous environment with Linux servers and Windows workstations. IPA domain would be used as a primary source of users and groups. AD domain would be used for management of Widows hosts only (group policies etc.). I have setup a test network with two-trust between AD and IPA domain and realized, that IPA domain sees AD users but AD domain doesn't see IPA users. Am I missing something or the two-way trust is not two-way in fact? It is two-way in principle. However, FreeIPA does not implement features required by AD DC to resolve IPA users on Windows workstations. It is on our long term roadmap. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/OJCXN7VI2NZAUWUHVZDKEZB7SF72NSR2/