[Freeipa-users] FreeIPA v 2.2 in an AD environment

Dmitri Pal dpal at redhat.com
Tue Nov 6 00:19:46 UTC 2012 

On 11/05/2012 01:34 PM, Steven Jones wrote:
> nice (and nice its in 6.4)
>
> :)
>
> I need to read up on trusts.
>
> However from limited experience in an AD forests with trusts they get very complex and the security can go bye bye.  Ive seen pen tests that come in from a trusted domain, using an account with too many privaledges a bad password in a poorly implimented AD get across to the root and rainbow the password table (and hence domain admin) via a trust of a well set up one...own AD own IPA.
>
> "poorly" also of course windows admins dont understand IPA or linux and linux admins dont understand AD or windows both are really specialists of complex environments in their own right.  (Which cracks me up when I see adverts for linux gurus and must have 3 to 5 years experience with AD....and paying peanuts....doh....clueless).   So if inter-domian trusts are a problem just consider AD to IPA!
>
> The advantage of a win and pass sync is its a very limited and controlable choke point. Indeed having winsync only capable of looking at one ou in AD means with your admins in a different ou its impossible for them to be mirrored into IPA....sort of high security by accident!
>
> ;]
>
> I guess its the age old battle between user usablity, their freedom and security....hackers really dont care....
>
> So could I have a win/passsync to one AD and trusts to other  IPAs and ADs?

May be. You know about dragons though. ;-)

>
> 1.9 sssd will be back ported to rhel5?

Mnnnn...
Sorry. No. It is too big and complex in terms of dependencies to backport.
There have been many improvments to different packages that make
possible for SSSD to perform its magic.

>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ________________________________________
>
>
> In addition to other comments I want to step back and give a bit of a
> bigger picture.
> 1) Regardless of what approach you choose we recommend using the latest
> available version at the moment of deployment.
> 2) There are two different approached to dealing with AD - sync or
> trust. You need to chose what approach you want to use. Down the road
> there might be some hybrid solutions but so far they are not supported.
>
> Sync: available starting the beginning of the IPA life. It has some
> limitations and we indeed had some issues with the corner cases that
> Steve's environment has. They are not common but you have been warned
> anyways.
>
> Trust:
> a) Trusts are targeting RHEL 6.4
> b) There is no upgrade from Sync to Trust solution. If you want trusts
> you need to upgrade what you have to 6.4 (or start over) and implement
> trusts there and not do Sync.
> c) To take advantage of trusts your clients must be SSSD 1.9.x otherwise
> the trusts would not work. This also means that if you have other UNIXes
> the trusts would not work there.
>
> If you have UNIX clients that need to be accessed by AD users you might
> explore some hybrid solutions that might work but we can't say for sure.
> For example the sync might actually work in parallel to trusts to some
> extent. There is also PAM pass through capability that comes with 6.4 as
> a tech preview. That would allow  pass through LDAP auth for the non
> SSSD 1.9 clients. But this needs to be tried out and there might be dragons.
>
> ==========
>
> dragons....lol...........my armour is well singed if not a bit runny.......
>
> regards
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list