<div dir="ltr"> <div class="gmail_extra"> <div class="gmail_quote">On Mon, Jun 2, 2014 at 4:55 AM, Sumit Bose <<a href="mailto:sbose@redhat.com" target="_blank">sbose@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div>On Fri, May 30, 2014 at 09:23:58PM -0300, tizo wrote: > On Fri, May 30, 2014 at 6:40 PM, Dmitri Pal <<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>> wrote: > > > On 05/30/2014 05:00 PM, tizo wrote: > > > > > > From: Alexander Bokovoy <abokovoy redhat com> > > To: Sumit Bose <sbose redhat com> > > Cc: freeipa-users redhat com > > Subject: Re: [Freeipa-users] Trust services > > Date: Thu, 29 May 2014 02:47:38 -0400 (EDT) > > > > ----- Original Message ----- > > > On Wed, May 28, 2014 at 10:47:13AM -0300, tizo wrote: > > > > I would like to know, if having configured trusts services between > > FreeIPA > > > > and Active Directory, allow AD users to authenticate in services that > > are > > > > only configured to authenticate against FreeIPA. > > > > > > > > For example, having configured the trusts, if I have a mail server > > that is > > > > using FreeIPA as its authentication method, can a user A from Active > > > > Directory, who does not exist in FreeIPA, authenticate in the mail > > server?. > > > > > > It depends a bit on how the users authenticate exactly because IPA > > > offers Kerberos and LDAP authentication. > > > > > > Kerberos should work out of the box because thats one of the trusts > > > components, trusting Kerberos tickets from the other domain/realm. > > > > > > For LDAP authentication you should be able to find the users from the > > > trusted domain in the compat tree below > > > cn=compat,dc=your,dc=ipa,dc=domain . To authenticate the user you can > > > do a LDAP bind with the DN form the compat tree and the password used in > > > AD. > > Please note that the latter is valid only for FreeIPA 3.3 and later. > > FreeIPA 3.0 does not support authentication over LDAP in the compat tree. > > -- > > / Alexander Bokovoy > > > > Ok. I will definitively use Kerberos. But looking at the diagram of page > > 22 in > > <a href="http://www.freeipa.org/images/1/1e/Devconf2013-linux-ad-integration-options.pdf" target="_blank">http://www.freeipa.org/images/1/1e/Devconf2013-linux-ad-integration-options.pdf</a> > > I see that SSSD in the GNU/Linux host is authenticating against both Active > > Directory and FreeIPA. Does the email server that I mentioned before, have > > to be configured in a similar way that SSSD in the GNU/Linux host of the > > example? Or is just enough that it is configured against the FreeIPA > > Kerberos and nothing else?. > > > > > > You configure client (SSSD) to point to IPA but it will discover that IPA > > is in trust relations and would know how to deal with tickets coming from > > AD side. > > This is why there are two arrows. They show communication. > > > > Ok. And what about a mail server?. We are planning to use Zimbra, and we > want that users from both FreeIPA and AD use it. Could we just configure it > to authenticate against FreeIPA Kerberos?. Or do we have to make something > else?. </div></div>If your question is about which domain the mail server shall join then in general you can choose either AD or IPA because of the trust relationship. Nevertheless I would recommend to join the IPA domain because currently the support for IPA users accessing services in the Active Directory domain is quite limited. If you question is about authentication users with their Kerberos password via SSSD you just have to configure the IPA domain in sssd.conf. As Dmitri said SSSD will figure out that there is a trust relationship and will direct authentication request of AD users to a AD DC. In general no additional configuration is needed. If you are seeing issues please note the following. AD user are authenticate directly against AD DC, the IPA server is not involved at all in the authentication process because AD is the only authoritative source to authenticate AD users. To be able find find an appropriate AD DC SSSD uses DNS SRV records, i.e. DNS on the client running SSSD must be configured to resolve records from the AD domains. By default SSSD on an IPA client use the IPA server as DNS server and hence the IPA server was able to create the trust it can be assumed that DNS on the IPA server is configured correctly. To just check DNS you can call dig SRV _ldap._tcp.AD.DOMAIN (where you replace AD.DOMAIN with your AD DNS domain name) on the IPA client. HTH </blockquote></div> </div><div class="gmail_extra">Yes, it does helps. Thanks you Sumit, Alexander and Dmitri. </div><div class="gmail_extra">As for now, I just wanted to know about if there was possible for users from both systems to use the mail server. AFAICS from your responses, it can be possible. I will shortly start to test FreeIPA and to make some proofs of concept to demonstrate that our goals can be reached. At that time, I will probably come back here to ask some technical details. Again, thanks very much. </div></div>