[Freeipa-users] Two way A/D trust versus one way trust
Alexander Bokovoy
abokovoy at redhat.com
Tue Sep 16 14:46:32 UTC 2014
On Tue, 16 Sep 2014, Greg Scott wrote:
>Hello -
>
>I went through this thread:
>https://www.redhat.com/archives/freeipa-users/2014-January/msg00177.html
>
>but I have some more questions.
>
>I have another situation where I need a one way AD trust. We have an
>IPA domain with a bunch of Linux servers and an AD domain for the
>corporate network. Typical scenario. We want IPA to trust AD but do
>not want AD to trust IPA. Access is availalbe to administrator/root
>accounts in both the AD and IPA domains.
>
>The IPA server is RHEL 7 running the IPA bundled with RHEL - I think
>that's IPA 3.3.5 right now?
>
>Reading through the thread above, when we set up cross forest trusts
>with this version, the IPA side does not yet have the equivalent of a
>Windows Global Catalog. So even though it says it's a 2-way trust,
>it's really not because IPA has no way to store the global catalog
>copies of what it needs for Windows to trust IPA. So with the version
>right now as it exists today, de-facto, IPA trusts AD, but AD has no
>way to trust IPA yet because IPA doesn't have all the pieces in place.
>
>So far so good. Here is the challenge.
>
>The AD group at this site is concerned that with some future version of
>IPA, since Windows already "thinks" it trusts IPA, that IPA will get
>the correct components and that suddenly IPA users will be able to
>authenticate in the AD domain. Ideally, they would like to set up an
>official one way trust today so that future possibility never happens.
>If that isn't possible, what other steps could they take to guard
>against that future possibility?
Even when IPA implement GC support, nothing will change: by default any
user that has no explicit permission in ACLs, gets what is given to all
authenticated users, i.e. default read access. When GC is there all that
will change is that there will be ability to resolve IPA users on AD
side, thus allowing AD users to assign specific permissions to IPA
users.
>
>Quoting from the earlier thread:
>
>> global catalog support is being worked on. As soon as it is
>> implemented we will add more granularity to the way the trusts are
>> established and thus allow formal one way trusts
>
>Is there a time frame for this? I know it's tough to give completion
>dates and that's not what I'm asking for - just a feel for how active
>the development is around global catalog support. Is this something
>this site should expect in the next few months or is it 5+ years away
>or somewhere in the middle? Is there a projected version number where
>the support will land?
I have plans to move to one-way trusts in 4.3 or so, given the time to
implement necessary code changes. They are independent of GC support
which may or may not come at same time.
>
>Given what we have in place today, what is the best way to handle the
>situation where a site wants a one way trust but must set up a 2-way
>trust now with only one side of the trust functional? I suppose it is
>always possible in the future when all the pieces are in place to just
>destroy the 2 way trust and re-create a one way trust, but by that
>time, there will probably be lots of mapping between AD SIDs and Linux
>UID/GID pairs and destroying and recreating the trust could make a
>royal mess out of those. Would it be possible to modify an existing
>2-way trust to only be a one-way trust when the time comes?
id ranges is what matters here and we don't destroy ID ranges when you
remove the trust. You can re-initiate the trust at that point without
breaking ID mapping.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list