[Freeipa-devel] One-way trust design

[Jakub Hrozek]

Thank you, the design page reads well to me. I had a short chat with
Alexander where we cleared up some confusion.

On Mon, Feb 23, 2015 at 06:02:53PM +0200, Alexander Bokovoy wrote:
> == New design ==
> In order to support one-way trust to Active Directory, we need to switch
> SSSD in IPA master mode to use TDO credentials when resolving AD users
> and groups. This is a high level description of the design, and majority
> of work to allow the switch will be done by SSSD team. Corresponding
> ticket tracker on SSSD side is
> [https://fedorahosted.org/sssd/ticket/2579 ticket 2579], the text below
> is an overview of the design.
> 
> On each IPA master SSSD runs in "IPA master mode". This mode means that
> in case of existing trust to AD forest, SSSD will directly resolve AD
> users and groups against Active Directory Domain Controllers. To perform
> user/group resolution, SSSD needs to authenticate against AD LDAP
> servers and it does so using Kerberos authentication based on a
> host/ipa.master at IPA.REALM service ticket. The ticket towards AD LDAP
> services is issued by FreeIPA KDC with the help of cross-realm trust
> credentials.
> 
> For one-way trust SSSD cannot use this approach because Active Directory
> Domain Controllers do not trust FreeIPA realm and, therefore, no
> cross-realm trust credentials exist in AD for FreeIPA realm. However,
> SSSD can use TDO object which always exists in AD for the trusting
> domain (cross-forest trust is done by forest root domains' trust). This
> means the ticket SSSD would need to request belongs to a different realm
> (AD forest root realm) rather than to FreeIPA realm.
> 
> As FreeIPA supports multiple trusts to separate Active Directory
> forests, a support for multiple separate tickets is required. SSSD will
> need to gain ability to use different credentials caches to store TDO
> tickets and use different keytabs with TDO credentials to obtain the
> ticket from an Active Directory Domain Controllers.
> 
> In order to separate privilege access, FreeIPA masters have to provide
> keytabs for SSSD running on IPA masters, one keytab per trusted AD
> forest, so that SSSD could request the keys when required.

I will experiment with retrieving keytabs manually for now to simulate
this part, then I'll write up a more detailed design on how to handle
the one-way trusts.

> 
> Additionally, FreeIPA management framework will need to change its
> defaults from producing a two-way trust to a one-way trust. Two-way
> trust will be added back when support for Global Catalog service will be
> added so that Active Directory resources could be properly accessed and
> access to them discretionally granted to FreeIPA users and groups.