[Freeipa-users] AD group members
Alexander Bokovoy
abokovoy at redhat.com
Tue Dec 15 16:38:08 UTC 2015
----- Original Message -----
> Hi,
>
> If PAC is not being used using key, how is group membership determined?
By asking IPA master to give list of groups AD user belongs to.
The complexity of this process makes it hard to have full list of groups available in advance in all cases.
MS-PAC record in Kerberos ticket has its feature that AD DC will put the correct and full list of groups
the user is a member of at the time of issuing TGT, signed by the AD DC's signature. This means after validating
the ticket we can trust its content for caching. In case of no PAC data available we have to resort to less precise
methods that would give incomplete information for some of situations like incomplete GC content for multidomain
AD forests.
> Also: it feels like the Linux client is contacting AD to obtain a Kerberos
> ticket and not the IPA-server. (for AD users). Is that true?
Yes, how would you imagine doing it differently? AD DCs are authoritative for their users, not IPA KDC.
This is basic feature of Kerberos protocol.
With IPA 4.2 on systems like RHEL 7.2/CentOS 7.2/Fedora 23 you can configure MIT Kerberos to use MS-KKDC proxy provided by IPA.
In such case IPA masters can be used as Kerberos proxy but the actual authentication decision is done by AD DCs anyway.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list