[Freeipa-users] Using Selective authentication on AD->IPA trust.
Alexander Bokovoy
abokovoy at redhat.com
Sun Oct 19 21:53:25 UTC 2014
On Sun, 19 Oct 2014, Genadi Postrilko wrote:
>Hello all !
>
>I am working on integrating IPA in a Microsoft dominated organization.
>After playing around with Cross forest trust and Directory server
>synchronization
>i came to the conclusion that Trust is the right way to go. Because it
>involves less configuration on AD side and its the direction
>the development community is focusing on.
>
>As i started discussing with AD administrators team, they expressed their
>concerns on the two-way trust needed.
>
>I have found the following thread in the freeipa archives:
>https://www.redhat.com/archives/freeipa-users/2012-June/msg00206.html
>where Simo Sorce explained why the two way trust is necessary.
>
>But then this thread appeared:
>https://www.redhat.com/archives/freeipa-users/2014-September/msg00276.html
>
>The discussion in the thread helped me *a lot* (especially the summary
>https://www.redhat.com/archives/freeipa-users/2014-September/msg00303.html)
>to explain the AD team why two-way trust is necessary and *not *a security
>risk.
>
>After convincing them that two-way trust in necessary, they still have put
>up a demand that the out-going AD->IPA trust authentication will be
>configured as *Selective **authentication.*
>
>Selective authentication is described as follows:
>*"Windows will not automatically authenticate users form the specified
>forest for any resources in the local forest. After you close this dialog.
>grant individual access to each domain and server that you want to make
>available to users in the specified forest."*
>
>While the default is Forest- wide authentication:
>
>*"Windows will automatically athenticate users from the specified forest
>for the recourses in the local forest."*
>
>
>Can this be done? Or it will break how IPA operates the trust?
I haven't tried it and my understanding is that it will break badly for
the same reason why AD->IPA trust path is required today but is not
presenting a security risk: as IPA side does not provide a way for AD to
map SIDs to user/group names, Windows management tools will not be able
to provide means to grant actual access rights to IPA principals.
We need to get host/ipa.master and HTTP/ipa.master principals to get
authenticated read only access to AD DC and LDAP servers. The problem
with granting this access in 'Selective authentication' case will
prevent the trust from working.
We are planning on implementing one-way trust in near future but it is
not there yet.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list