[Freeipa-users] AD trust deployment without IPA authority over reverse lookup zone

[Petr Spacek]

On 25.8.2015 16:08, Alexander Bokovoy wrote:
> On Tue, 25 Aug 2015, Simo Sorce wrote:
>> On Tue, 2015-08-25 at 15:19 +0200, Petr Spacek wrote:
>>> On 1.8.2015 21:19, John Stein wrote:
>>> > Hi,
>>> >
>>> > Thanks for the reply. Any Idea when will the GSSAPI-updating bug fix get to
>>> > RHEL 7?
>>>
>>> You can watch the progress here:
>>> https://bugzilla.redhat.com/show_bug.cgi?id=1214827
>>>
>>> Unfortunately fixing this bug will not be sufficient for your particular
>>> scenario. FreeIPA does not allow ordinary host/ principals used by client
>>> machines (not to be confused with FreeIPA servers) to get tickets for AD
>>> Kerberos realms.
>>>
>>> It effectively means that nsupdate will properly detect the AD realm and
>>> generate correct request but the request will be refused because the client
>>> will not be able to get ticket.
>>>
>>> I.e. you will have to resort to manual PTR record update OR convince
>>> Alexander/Simo that allowing host/ principals from FreeIPA realm to get
>>> tickets for AD realm is not a security issue :-)
>>
>> There is no security issue per se, host/ principals can get tickets just
>> fine but we do not attach a PAC here, and AD may refuse to operate w/o a
>> MS-PAC. Please open a RFE if this is breaking operations. We'll need to
>> decide how to assign a SID to hosts but that's the only "security" issue
>> that needs to be solved.

Here it is:
https://fedorahosted.org/freeipa/ticket/5260

> For one-way trust you'll be unable to get the ticket at all as there is
> no cross-forest TGT on our side to issue. And this is a default
> configuration in FreeIPA 4.2. You will have to have bi-directional trust
> to get GSSAPI authentication in nsupdate working at all against a
> trusted forest.

Understood, that is the price users have to pay for using one-way trust.
Still, I think that we should support this use case if user is willing to use
bi-directional trust.

-- 
Petr^2 Spacek