Re: [Freeipa-users] using AD token to get freeipa token
hi simon, ok, that's pity. the problem we are trying to solve is teh following: we are going to setup a new krb5 realm with IPA and we would like to explore methods to have our users authenticate against this realm (well, the kinit otherusername@IPA part) using methods that existing/available for our users. i.e. we would really really like to avoid that our users have to create yet another password. the users currently are in AD, so we tought we could use the AD tokens to authenticate, avoiding passwords. maybe i should rephrase my original question a bit: what authentication schemes does kinit support (is there anything besides using a password), and if passwords are unavoidable, is it possible to use something like OTP with kinit and IPA (the user somehow gets the OTP, and can use that for kinit with an IPA controlled realm)? (maybe it is possible that the password verification step from IPA is handed over to AD somehow?). anyway, hints are welcome stijn On 07/09/2014 11:23 PM, Simo Sorce wrote: On Wed, 2014-07-09 at 18:38 +0200, Stijn De Weirdt wrote: hi all, we are investigating the possibility to use an existing and valid AD token to obtain a token from a realm under FreeIPA (3.3.3 from el7), without having to setup the full IPA AD cross realm trust. (in particular, to avoid that AD has to trust the IPA setup; and with the goal that we can minimise any required actions on the AD setup). what we would like to achieve is the following: kinit user@AD --- authenticate via AD password kinit otherusername@IPA -- no password required, authentication based on valid AD token so one can then eg ssh otherusern...@machine.under.ipa.control the user@AD to otherusername@IPA mapping is provided somewhere on the IPA server and is static. as far as i understood, this is (very?) different from actual trust relation where having the user@AD token is sufficient to do ssh otherusern...@machine.under.ipa.control. any hints are welcome! It's not possible*, sorry. Simo. * At the very theoretical level it would, but it would require extensive changes to the kerberos libraries on each client as well as changes to the KDC. Operationally unfeasible even if you had those code changes. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] using AD token to get freeipa token
On Fri, 2014-07-11 at 16:24 +0200, Stijn De Weirdt wrote: hi simon, ok, that's pity. the problem we are trying to solve is teh following: we are going to setup a new krb5 realm with IPA and we would like to explore methods to have our users authenticate against this realm (well, the kinit otherusername@IPA part) using methods that existing/available for our users. i.e. we would really really like to avoid that our users have to create yet another password. the users currently are in AD, so we tought we could use the AD tokens to authenticate, avoiding passwords. You can do this by establishing a trust between AD and IPA. maybe i should rephrase my original question a bit: what authentication schemes does kinit support (is there anything besides using a password), and if passwords are unavoidable, is it possible to use something like OTP with kinit and IPA (the user somehow gets the OTP, and can use that for kinit with an IPA controlled realm)? (maybe it is possible that the password verification step from IPA is handed over to AD somehow?). In FreeIPA 4.0 we introduced support for 2FA and TOTP, it still requires a password, the OTP is only the second factor. Another option is to sync users and passwords from AD to IPA, we do not recommend this but it is possible. Finally there is a very hackish client configuration some people used where authentication happens against AD but everything else is going through IPA. I do not feel like recommending this. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] using AD token to get freeipa token
hi simon, ok, that's pity. the problem we are trying to solve is teh following: we are going to setup a new krb5 realm with IPA and we would like to explore methods to have our users authenticate against this realm (well, the kinit otherusername@IPA part) using methods that existing/available for our users. i.e. we would really really like to avoid that our users have to create yet another password. the users currently are in AD, so we tought we could use the AD tokens to authenticate, avoiding passwords. You can do this by establishing a trust between AD and IPA. but a trust goes way further then what we need from it (and then there are issues with the AD admins trusting us. any impact on AD is not really acceptable). i'd like to avoid it if possible (but i feel i'll have to read up on the topic so i properly understand the consequences) maybe i should rephrase my original question a bit: what authentication schemes does kinit support (is there anything besides using a password), and if passwords are unavoidable, is it possible to use something like OTP with kinit and IPA (the user somehow gets the OTP, and can use that for kinit with an IPA controlled realm)? (maybe it is possible that the password verification step from IPA is handed over to AD somehow?). In FreeIPA 4.0 we introduced support for 2FA and TOTP, it still requires a password, the OTP is only the second factor. ok, understood. Another option is to sync users and passwords from AD to IPA, we do not recommend this but it is possible. i'd rather not Finally there is a very hackish client configuration some people used where authentication happens against AD but everything else is going through IPA. I do not feel like recommending this. any more info on this? (how hackish is it? and what is meant with client configuration?) thanks for the input! stijn Simo. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] using AD token to get freeipa token
On 07/11/2014 11:04 AM, Stijn De Weirdt wrote: hi simon, ok, that's pity. the problem we are trying to solve is teh following: we are going to setup a new krb5 realm with IPA and we would like to explore methods to have our users authenticate against this realm (well, the kinit otherusername@IPA part) using methods that existing/available for our users. i.e. we would really really like to avoid that our users have to create yet another password. the users currently are in AD, so we tought we could use the AD tokens to authenticate, avoiding passwords. You can do this by establishing a trust between AD and IPA. but a trust goes way further then what we need from it (and then there are issues with the AD admins trusting us. any impact on AD is not really acceptable). i'd like to avoid it if possible (but i feel i'll have to read up on the topic so i properly understand the consequences) Trust is really the way to go. This is the whole point of adding the feature. IPA identities would not be able to do anything in the AD domain since there is no authorization information in their Kerberos tickets. They will be able to access resources that require only kerberos authentication and not have MSFT access control. The whole idea is that most of the users would live in AD and only a small subset of special accounts will be in IPA. There is a lot of prejudice but we see more an more people realizing that this is a viable solution and deploying it in corporate environments for example in banks where security and audit requirements are traditionally high. maybe i should rephrase my original question a bit: what authentication schemes does kinit support (is there anything besides using a password), and if passwords are unavoidable, is it possible to use something like OTP with kinit and IPA (the user somehow gets the OTP, and can use that for kinit with an IPA controlled realm)? (maybe it is possible that the password verification step from IPA is handed over to AD somehow?). In FreeIPA 4.0 we introduced support for 2FA and TOTP, it still requires a password, the OTP is only the second factor. ok, understood. Another option is to sync users and passwords from AD to IPA, we do not recommend this but it is possible. i'd rather not Finally there is a very hackish client configuration some people used where authentication happens against AD but everything else is going through IPA. I do not feel like recommending this. any more info on this? (how hackish is it? and what is meant with client configuration?) thanks for the input! stijn Simo. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] using AD token to get freeipa token
hi all, we are investigating the possibility to use an existing and valid AD token to obtain a token from a realm under FreeIPA (3.3.3 from el7), without having to setup the full IPA AD cross realm trust. (in particular, to avoid that AD has to trust the IPA setup; and with the goal that we can minimise any required actions on the AD setup). what we would like to achieve is the following: kinit user@AD --- authenticate via AD password kinit otherusername@IPA -- no password required, authentication based on valid AD token so one can then eg ssh otherusern...@machine.under.ipa.control the user@AD to otherusername@IPA mapping is provided somewhere on the IPA server and is static. as far as i understood, this is (very?) different from actual trust relation where having the user@AD token is sufficient to do ssh otherusern...@machine.under.ipa.control. any hints are welcome! stijn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] using AD token to get freeipa token
On Wed, 2014-07-09 at 18:38 +0200, Stijn De Weirdt wrote: hi all, we are investigating the possibility to use an existing and valid AD token to obtain a token from a realm under FreeIPA (3.3.3 from el7), without having to setup the full IPA AD cross realm trust. (in particular, to avoid that AD has to trust the IPA setup; and with the goal that we can minimise any required actions on the AD setup). what we would like to achieve is the following: kinit user@AD --- authenticate via AD password kinit otherusername@IPA -- no password required, authentication based on valid AD token so one can then eg ssh otherusern...@machine.under.ipa.control the user@AD to otherusername@IPA mapping is provided somewhere on the IPA server and is static. as far as i understood, this is (very?) different from actual trust relation where having the user@AD token is sufficient to do ssh otherusern...@machine.under.ipa.control. any hints are welcome! It's not possible*, sorry. Simo. * At the very theoretical level it would, but it would require extensive changes to the kerberos libraries on each client as well as changes to the KDC. Operationally unfeasible even if you had those code changes. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project