[Freeipa-users] AD/IPA login compatibility

[Alexander Bokovoy]

On Thu, 05 Feb 2015, Dmitri Pal wrote:
>On 02/04/2015 03:01 PM, Hugh wrote:
>>On 1/29/2015 4:26 PM, Dmitri Pal wrote:
>>>How are the domains connected? Do you use trust or sync?
>>Trust. We wanted to have just one account and not need to install
>>additional software on the AD servers if possible.
>>
>>>>1) Is it possible to log into a workstation that's been joined to a
>>>>domain with IPA credentials?
>>>>
>>>You mean can I access a Windows workstation joined to AD domain by user
>>>from IPA domain?
>>>No it is not implemented. It will require Global Catalog support in IPA.
>>Out of curiosity, then why can we do this with the regular Kerberos?
>
>With pure Kerberos the system is not "joined".
>Also the user ticket acquired from IPA does not have authorization 
>data - PAC to be of any meaning in the realm.
>You need global catalog for this.
>
>So you can take your Windows system, put MIT Kerberos for Windows on 
>it and a user from IPA will be able to authenticate to IPA.
>I am not sure you will be able to use trusts and authenticate AD users 
>too, but I am not aware whether anyone tried.
>Kerberos libraries for Windows might be too old for this to work 
>properly. But I am not sure.
No, it will not work. Active Directory has a global list of trusted
domains/forests and they are keyed by name. If you do trust to IPA as
MIT Kerberos trust, it will not allow you to create trust to IPA as
cross-forest trust because both will be set with the same name.


>You can set default domain in sssd and then when you use a short name 
>it will append it.
>But for other domains you would have to spell names out.
This is unsupported for legacy clients and for IPA masters. On IPA
masters we rely to have AD users fully qualified as this is what
triggers name resolution for AD users in the compat tree.

-- 
/ Alexander Bokovoy