[Freeipa-users] Setting up Active Directory trusts in a secure environment

[Dan Mossor]

On 07/31/2015 02:52 AM, Sumit Bose wrote:
>
> Thank you for the detailed analysis. I guess the 'server was
> inaccessible' error is due to the fact that currently FreeIPA does not
> have a global catalog, because Windows typically tries to get SIDs from
> remote objects from the Global Catalog.
>
>>
>> So, to those of y'all that operate in secure environments, what trick do you
>> use to fully integrate IPA and Active Directory?
>
> With FreeIPA-4.2 the one-way trust feature is introduced. The main
> difference to the current scheme is that with one-way trust the FreeIPA
> server does not use its host credentials (host keytab) from the IPA
> domain to access the AD DC but uses the trusted domain user
> (IPADOM$@AD.DOMAIN) to access the AD DC. Since this is an object from
> the AD domain it should be possible to assign the needed permissions to
> this object.
>
> Currently I have no idea how this can be solved with older version.
> Maybe there is a toll on the Windows side which lets you add SIDs
> manually into the "Access this computer from the network" policy? If
> there is one you can try to add IPA-SID-515 (where you have to replace
> IPA-SID by the IPA domain SID).
>
> HTH
>
> bye,
> Sumit
>

I didn't think the SID was even being evaluated - the authentication 
being attempted was through Kerberos, which I uderstand only uses host 
keytabs, not SIDs. Am I correct in this situation?

Dan

-- 
Dan Mossor, RHCSA
Systems Engineer
Fedora Server WG | Fedora KDE WG | Fedora QA Team
Fedora Infrastructure Apprentice
FAS: dmossor IRC: danofsatx
San Antonio, Texas, USA