[Freeipa-users] ipa-server (v3.3.3) with sssd (v1.11.2) config
Gerardo Padierna
asl.gerardo at gmail.com
Thu Aug 28 10:08:27 UTC 2014
Hi,
In a setup where FreeIPA + sssd act as an authentication for AD users
(taking advantage of sssd's ability to act as an authentication client
for AD users), why do we need to establish a (two-way) trust
relationship? Ins't there a workaround for this, given that sssd is
already able to authenticate users without having to do nothing on the
DA-side (just need a read-only user to carry out the initial bind)?
In a bit more detail: We'd like to use AD-based authentication on some
Unix hosts (mostly Solaris 10) for which there's no sssd available
(we're already using sssd on RHEL hosts); we were thinking of setting up
a server with FreeIPA + sssd to act as sort of a proxy to the actual AD
for authentication, for those hosts for which there's no sssd client
available (based on this doc:
http://www.freeipa.org/page/V3/Serving_legacy_clients_for_trusts).
There reasons why we're doing this are basically:
· there's no unix-compatibiliy available on the AD sever (and most
likely there won't ever be)
· we'd like to keep the same UID/GIDs for all users that already
authenticate on the RHEL boxes (to be able to work on the same home
directories, maintain homogenous file ownership accross shared
ressources, etc.)
So, we've set up:
· a CentOS 7.0 host with ipa-server v3.3.3 and sssd v1.11.2 and
configured (with domain: ipa-dom.com)
· checked that sssd-based authenticacion to the AD server works on this
box (AD-users in domain da-dom.com)
· checked that the IPA server works for users created on the IPA server
(domain e.g. user at ipa-dom.com)
Now, to set up what we really wanted, which is basically, on a Unix-box
with no sssd client, be able to authentica a user1 at da-dom.com via the
FreeIPA-server, through sssd. But, the final step of the configuration
process (cmd: ipa trust-add ...) requires to establish a two-way trust
relationship between the IPA server and the AD DC, which requires AD
administrator privileges (which we don't have, and I don't see why we
should have them).
The AD admins of the company are not willing to consider this trust
relationship to be established because the regard this as a secury risk.
My question is basically, isn't there a workaround for this situation?
If sssd is already able to authenticate, and based on the explanations
of the doc mentioned above, I can't see why for plaiin user
authentication there must be a trust relationship established. We don't
need that for any of our sssd-based hosts (and they haven't been added
to the domain da-dom.com, no need to).
Any suggestions? Maybe there are different setups and/or tool
combinations for a this kind of scenario?
Thanks a lot,
--
*Gerardo Padierna*<mailto:asl.gerardo at gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140828/ca108e53/attachment.htm>
More information about the Freeipa-users
mailing list