[Freeipa-users] Using Selective authentication on AD->IPA trust.

Alexander Bokovoy abokovoy at redhat.com
Sat Oct 25 21:45:26 UTC 2014

On Sat, 25 Oct 2014, Genadi Postrilko wrote:
>> We need to get host/ipa.master and HTTP/ipa.master principals to get
>> authenticated read only access to AD DC and LDAP servers. The problem
>> with granting this access in 'Selective authentication' case will
>> prevent the trust from working.
>Only the IPA servers are accessing AD DC? Or all the hosts (Clients) are
>also preforming query's on GC's LDAP, as
>you described in this older mail exchange :
>*"IPA needs to be able to look up users and groups in AD. To do so, it
>uses Kerberos authentication against AD's Global Catalog services with
>own credentials (per each IPA host). We are using cross-realm
>Kerberos trust here, AD DC trusts cross-realm TGT issued by IPA KDC and
>vice versa, so IPA hosts can bind as their own identity (host/...) to
>If the first case is true, then read only permission can be granted to
>IPA server's *only *(?), .
IPA masters. SSSD on IPA clients talk to IPA masters via LDAP protocol
using a special control. A plugin in LDAP server then talks to SSSD on
the IPA master to request identity information and SSSD on the IPA
master talks to the AD LDAP/GC services.

I don't see what this changes, though. As I described before,
authenticated access to AD LDAP/GC services is what is required to
access them and unless more rights are given, access is read-only by
default, you do not need to grant anything. Since Active Directory UI
cannot resolve IPA domain's SIDs to names, it cannot be used to elevate
the access rights. Neither it can reduce the rights of IPA principals
beyond read-only access unless the objects in question would be made
available only to members of certain AD groups of which IPA principals
wouldn't be privy. The latter is rather limiting and unlikely situation
for a typical Active Directory deployment which will likely break quite
a lot of Windows applications anyway. 

Note also that AD DC only considers 'right' those principals which have
MS PAC records within their tickets, containing SIDs this principal is
representing (and the membership of the principal in question in other
groups). IPA only gives out MS PAC record to host/<ipa.master>,
HTTP/<ipa.master>, and cifs/<ipa.master> principals on the hosts where
ipa-adtrust-install was run, in addition to normal IPA users. Thus, none
of IPA clients' host/<ipa.client> principal can be used to directly
authenticate against AD DC.

/ Alexander Bokovoy

More information about the Freeipa-users mailing list