Re: [Freeipa-users] Using Selective authentication on AD->IPA trust.
On Sat, 25 Oct 2014, Genadi Postrilko wrote: We need to get host/ipa.master and HTTP/ipa.master principals to get authenticated read only access to AD DC and LDAP servers. The problem with granting this access in 'Selective authentication' case will prevent the trust from working. Only the IPA servers are accessing AD DC? Or all the hosts (Clients) are also preforming query's on GC's LDAP, as you described in this older mail exchange : https://www.redhat.com/archives/freeipa-users/2014-January/msg00181.html *"IPA needs to be able to look up users and groups in AD. To do so, it uses Kerberos authentication against AD's Global Catalog services with own credentials (per each IPA host). We are using cross-realm Kerberos trust here, AD DC trusts cross-realm TGT issued by IPA KDC and vice versa, so IPA hosts can bind as their own identity (host/...) to AD."* If the first case is true, then read only permission can be granted to IPA server's *only *(?), . IPA masters. SSSD on IPA clients talk to IPA masters via LDAP protocol using a special control. A plugin in LDAP server then talks to SSSD on the IPA master to request identity information and SSSD on the IPA master talks to the AD LDAP/GC services. I don't see what this changes, though. As I described before, authenticated access to AD LDAP/GC services is what is required to access them and unless more rights are given, access is read-only by default, you do not need to grant anything. Since Active Directory UI cannot resolve IPA domain's SIDs to names, it cannot be used to elevate the access rights. Neither it can reduce the rights of IPA principals beyond read-only access unless the objects in question would be made available only to members of certain AD groups of which IPA principals wouldn't be privy. The latter is rather limiting and unlikely situation for a typical Active Directory deployment which will likely break quite a lot of Windows applications anyway. Note also that AD DC only considers 'right' those principals which have MS PAC records within their tickets, containing SIDs this principal is representing (and the membership of the principal in question in other groups). IPA only gives out MS PAC record to host/, HTTP/, and cifs/ principals on the hosts where ipa-adtrust-install was run, in addition to normal IPA users. Thus, none of IPA clients' host/ principal can be used to directly authenticate against AD DC. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Using Selective authentication on AD->IPA trust.
> > We need to get host/ipa.master and HTTP/ipa.master principals to get >> > authenticated read only access to AD DC and LDAP servers. The problem > with granting this access in 'Selective authentication' case will > prevent the trust from working. > > Only the IPA servers are accessing AD DC? Or all the hosts (Clients) are also preforming query's on GC's LDAP, as you described in this older mail exchange : https://www.redhat.com/archives/freeipa-users/2014-January/msg00181.html *"IPA needs to be able to look up users and groups in AD. To do so, it uses Kerberos authentication against AD's Global Catalog services with own credentials (per each IPA host). We are using cross-realm Kerberos trust here, AD DC trusts cross-realm TGT issued by IPA KDC and vice versa, so IPA hosts can bind as their own identity (host/...) to AD."* If the first case is true, then read only permission can be granted to IPA server's *only *(?), . If the second is true, there is no escape but to convince (somehow) the AD IT guys. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Using Selective authentication on AD->IPA trust.
On Sun, 19 Oct 2014, Genadi Postrilko wrote: Hello all ! I am working on integrating IPA in a Microsoft dominated organization. After playing around with Cross forest trust and Directory server synchronization i came to the conclusion that Trust is the right way to go. Because it involves less configuration on AD side and its the direction the development community is focusing on. As i started discussing with AD administrators team, they expressed their concerns on the two-way trust needed. I have found the following thread in the freeipa archives: https://www.redhat.com/archives/freeipa-users/2012-June/msg00206.html where Simo Sorce explained why the two way trust is necessary. But then this thread appeared: https://www.redhat.com/archives/freeipa-users/2014-September/msg00276.html The discussion in the thread helped me *a lot* (especially the summary https://www.redhat.com/archives/freeipa-users/2014-September/msg00303.html) to explain the AD team why two-way trust is necessary and *not *a security risk. After convincing them that two-way trust in necessary, they still have put up a demand that the out-going AD->IPA trust authentication will be configured as *Selective **authentication.* Selective authentication is described as follows: *"Windows will not automatically authenticate users form the specified forest for any resources in the local forest. After you close this dialog. grant individual access to each domain and server that you want to make available to users in the specified forest."* While the default is Forest- wide authentication: *"Windows will automatically athenticate users from the specified forest for the recourses in the local forest."* Can this be done? Or it will break how IPA operates the trust? I haven't tried it and my understanding is that it will break badly for the same reason why AD->IPA trust path is required today but is not presenting a security risk: as IPA side does not provide a way for AD to map SIDs to user/group names, Windows management tools will not be able to provide means to grant actual access rights to IPA principals. We need to get host/ipa.master and HTTP/ipa.master principals to get authenticated read only access to AD DC and LDAP servers. The problem with granting this access in 'Selective authentication' case will prevent the trust from working. We are planning on implementing one-way trust in near future but it is not there yet. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Using Selective authentication on AD->IPA trust.
Hello all ! I am working on integrating IPA in a Microsoft dominated organization. After playing around with Cross forest trust and Directory server synchronization i came to the conclusion that Trust is the right way to go. Because it involves less configuration on AD side and its the direction the development community is focusing on. As i started discussing with AD administrators team, they expressed their concerns on the two-way trust needed. I have found the following thread in the freeipa archives: https://www.redhat.com/archives/freeipa-users/2012-June/msg00206.html where Simo Sorce explained why the two way trust is necessary. But then this thread appeared: https://www.redhat.com/archives/freeipa-users/2014-September/msg00276.html The discussion in the thread helped me *a lot* (especially the summary https://www.redhat.com/archives/freeipa-users/2014-September/msg00303.html) to explain the AD team why two-way trust is necessary and *not *a security risk. After convincing them that two-way trust in necessary, they still have put up a demand that the out-going AD->IPA trust authentication will be configured as *Selective **authentication.* Selective authentication is described as follows: *"Windows will not automatically authenticate users form the specified forest for any resources in the local forest. After you close this dialog. grant individual access to each domain and server that you want to make available to users in the specified forest."* While the default is Forest- wide authentication: *"Windows will automatically athenticate users from the specified forest for the recourses in the local forest."* Can this be done? Or it will break how IPA operates the trust? Thanks. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project