[Freeipa-users] AD trust deployment without IPA authority over reverse lookup zone
Alexander Bokovoy
abokovoy at redhat.com
Tue Aug 25 14:08:16 UTC 2015
On Tue, 25 Aug 2015, Simo Sorce wrote:
>On Tue, 2015-08-25 at 15:19 +0200, Petr Spacek wrote:
>> On 1.8.2015 21:19, John Stein wrote:
>> > Hi,
>> >
>> > Thanks for the reply. Any Idea when will the GSSAPI-updating bug fix get to
>> > RHEL 7?
>>
>> You can watch the progress here:
>> https://bugzilla.redhat.com/show_bug.cgi?id=1214827
>>
>> Unfortunately fixing this bug will not be sufficient for your particular
>> scenario. FreeIPA does not allow ordinary host/ principals used by client
>> machines (not to be confused with FreeIPA servers) to get tickets for AD
>> Kerberos realms.
>>
>> It effectively means that nsupdate will properly detect the AD realm and
>> generate correct request but the request will be refused because the client
>> will not be able to get ticket.
>>
>> I.e. you will have to resort to manual PTR record update OR convince
>> Alexander/Simo that allowing host/ principals from FreeIPA realm to get
>> tickets for AD realm is not a security issue :-)
>
>There is no security issue per se, host/ principals can get tickets just
>fine but we do not attach a PAC here, and AD may refuse to operate w/o a
>MS-PAC. Please open a RFE if this is breaking operations. We'll need to
>decide how to assign a SID to hosts but that's the only "security" issue
>that needs to be solved.
For one-way trust you'll be unable to get the ticket at all as there is
no cross-forest TGT on our side to issue. And this is a default
configuration in FreeIPA 4.2. You will have to have bi-directional trust
to get GSSAPI authentication in nsupdate working at all against a
trusted forest.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list