[Freeipa-users] Setting up Active Directory trusts in a secure environment

[Sumit Bose]

On Thu, Jul 30, 2015 at 05:35:53PM -0500, Dan Mossor wrote:
> Greetings, folks.
> 
> So, I've been fighting with getting a trust set up between FreeIPA 4.1 on
> CentOS 7.1 and Windows Server 2008r2 for nearly a week. Today I finally came
> to a conclusion as to what my issue is.
> 
> I operate a secure network in which we have configuration guidlines for
> securing Windows that we have to meet in order to recieve what's known as an
> "Authority to Operate", or ATO. A lot of this configuration is done in the
> Global Policies.
> 
> Today I stumbled across one error buried in the Windows Security event log,
> and when correllated with the errors I was seeing from FreeIPA led me to our
> policy. The error that popped up in the event log was "The user has not been
> granted the requested logon type at this machine." The logon type was "3",
> which is network, and the Logon Process and Authorization Package were both
> Kerberos.
> 
> Cross referenced with the error on the IPA server:
> "WARNING: Search on AD DC WINSRV.ad.domain.net:3268 failed with:
> Insufficient access: 8009030C: LdapErr: DSID-0C0904DC, comment:
> AcceptSecurityContext error, data 569, v1db1 Invalid Credentials"
> 
> Digging into our Domain Controller policy, I found that "Access this
> computer from the network" is restricted to Domain Users, Domain
> Controllers, Domain Computers, Domain Admins, and BUILTIN\Administrators. I
> attempted to add a context that would allow the IPA server to log on, and
> got so far through the wizard that it let me select the trusted domain to
> search and returned a list of security contexts, but when I attempted to add
> one (Authenticated Users), I recieved the error that it couldn't be found
> because the server was inaccessable. I saw no errors on the IPA side during
> this transaction.

Thank you for the detailed analysis. I guess the 'server was
inaccessible' error is due to the fact that currently FreeIPA does not
have a global catalog, because Windows typically tries to get SIDs from
remote objects from the Global Catalog.

> 
> So, to those of y'all that operate in secure environments, what trick do you
> use to fully integrate IPA and Active Directory?

With FreeIPA-4.2 the one-way trust feature is introduced. The main
difference to the current scheme is that with one-way trust the FreeIPA
server does not use its host credentials (host keytab) from the IPA
domain to access the AD DC but uses the trusted domain user
(IPADOM$@AD.DOMAIN) to access the AD DC. Since this is an object from
the AD domain it should be possible to assign the needed permissions to
this object.

Currently I have no idea how this can be solved with older version.
Maybe there is a toll on the Windows side which lets you add SIDs
manually into the "Access this computer from the network" policy? If
there is one you can try to add IPA-SID-515 (where you have to replace
IPA-SID by the IPA domain SID).

HTH

bye,
Sumit

> 
> -- 
> Dan Mossor, RHCSA
> Systems Engineer
> Fedora Server WG | Fedora KDE WG | Fedora QA Team
> Fedora Infrastructure Apprentice
> FAS: dmossor IRC: danofsatx
> San Antonio, Texas, USA
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project