[Freeipa-users] Using Selective authentication on AD->IPA trust.

Genadi Postrilko genadipost at gmail.com
Sat Oct 25 21:02:26 UTC 2014

> We need to get host/ipa.master and HTTP/ipa.master principals to get
> authenticated read only access to AD DC and LDAP servers. The problem
> with granting this access in 'Selective authentication' case will
> prevent the trust from working.
Only the IPA servers are accessing AD DC? Or all the hosts (Clients) are
also preforming query's on GC's LDAP, as
you described in this older mail exchange :


*"IPA needs to be able to look up users and groups in AD. To do so, it
uses Kerberos authentication against AD's Global Catalog services with
own credentials (per each IPA host). We are using cross-realm
Kerberos trust here, AD DC trusts cross-realm TGT issued by IPA KDC and
vice versa, so IPA hosts can bind as their own identity (host/...) to

If the first case is true, then read only permission can be granted to
IPA server's *only *(?), .

If the second is true, there is no escape but to convince (somehow)
the AD IT guys.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141025/2994d023/attachment.htm>

More information about the Freeipa-users mailing list