[Freeipa-users] Trust services

tizo tizone at gmail.com
Mon Jun 2 12:26:41 UTC 2014 

On Mon, Jun 2, 2014 at 4:55 AM, Sumit Bose <sbose at redhat.com> wrote:

> On Fri, May 30, 2014 at 09:23:58PM -0300, tizo wrote:
> > On Fri, May 30, 2014 at 6:40 PM, Dmitri Pal <dpal at redhat.com> wrote:
> >
> > >  On 05/30/2014 05:00 PM, tizo wrote:
> > >
> > >
> > >     From: Alexander Bokovoy <abokovoy redhat com>
> > >     To: Sumit Bose <sbose redhat com>
> > >     Cc: freeipa-users redhat com
> > >     Subject: Re: [Freeipa-users] Trust services
> > >     Date: Thu, 29 May 2014 02:47:38 -0400 (EDT)
> > >
> > > ----- Original Message -----
> > > > On Wed, May 28, 2014 at 10:47:13AM -0300, tizo wrote:
> > > > > I would like to know, if having configured trusts services between
> > > FreeIPA
> > > > > and Active Directory, allow AD users to authenticate in services
> that
> > > are
> > > > > only configured to authenticate against FreeIPA.
> > > > >
> > > > > For example, having configured the trusts, if I have a mail server
> > > that is
> > > > > using FreeIPA as its authentication method, can a user A from
> Active
> > > > > Directory, who does not exist in FreeIPA, authenticate in the mail
> > > server?.
> > > >
> > > > It depends a bit on how the users authenticate exactly because IPA
> > > > offers Kerberos and LDAP authentication.
> > > >
> > > > Kerberos should work out of the box because thats one of the trusts
> > > > components, trusting Kerberos tickets from the other domain/realm.
> > > >
> > > > For LDAP authentication you should be able to find the users from the
> > > > trusted domain in the compat tree below
> > > > cn=compat,dc=your,dc=ipa,dc=domain . To authenticate the user you can
> > > > do a LDAP bind with the DN form the compat tree and the password
> used in
> > > > AD.
> > > Please note that the latter is valid only for FreeIPA 3.3 and later.
> > > FreeIPA 3.0 does not support authentication over LDAP in the compat
> tree.
> > > --
> > > / Alexander Bokovoy
> > >
> > >  Ok. I will definitively use Kerberos. But looking at the diagram of
> page
> > > 22 in
> > >
> http://www.freeipa.org/images/1/1e/Devconf2013-linux-ad-integration-options.pdf
> > > I see that SSSD in the GNU/Linux host is authenticating against both
> Active
> > > Directory and FreeIPA. Does the email server that I mentioned before,
> have
> > > to be configured in a similar way that SSSD in the GNU/Linux host of
> the
> > > example? Or is just enough that it is configured against the FreeIPA
> > > Kerberos and nothing else?.
> > >
> > >
> > > You configure client (SSSD) to point to IPA but it will discover that
> IPA
> > > is in trust relations and would know how to deal with tickets coming
> from
> > > AD side.
> > > This is why there are two arrows. They show communication.
> > >
> >
> > Ok. And what about a mail server?. We are planning to use Zimbra, and we
> > want that users from both FreeIPA and AD use it. Could we just configure
> it
> > to authenticate against FreeIPA Kerberos?. Or do we have to make
> something
> > else?.
>
> If your question is about which domain the mail server shall join  then
> in general you can choose either AD or IPA because of the trust
> relationship. Nevertheless I would recommend to join the IPA domain
> because currently the support for IPA users accessing services in the
> Active Directory domain is quite limited.
>
> If you question is about authentication users with their Kerberos
> password via SSSD you just have to configure the IPA domain in
> sssd.conf. As Dmitri said SSSD will figure out that there is a trust
> relationship and will direct authentication request of AD users to a AD
> DC. In general no additional configuration is needed. If you are seeing
> issues please note the following. AD user are authenticate directly
> against AD DC, the IPA server is not involved at all in the
> authentication process because AD is the only authoritative source to
> authenticate AD users. To be able find find an appropriate AD DC SSSD
> uses DNS SRV records, i.e. DNS on the client running SSSD must be
> configured to resolve records from the AD domains. By default SSSD on an
> IPA client use the IPA server as DNS server and hence the IPA server was
> able to create the trust it can be assumed that DNS on the IPA server is
> configured correctly.
>
> To just check DNS you can call
>
> dig SRV _ldap._tcp.AD.DOMAIN
>
> (where you replace AD.DOMAIN with your AD DNS domain name) on the IPA
> client.
>
> HTH
>
>
Yes, it does helps. Thanks you Sumit, Alexander and Dmitri.

As for now, I just wanted to know about if there was possible for users
from both systems to use the mail server. AFAICS from your responses, it
can be possible. I will shortly start to test FreeIPA and to make some
proofs of concept to demonstrate that our goals can be reached. At that
time, I will probably come back here to ask some technical details.

Again, thanks very much.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140602/5b9da99e/attachment.htm>

More information about the Freeipa-users mailing list