[Freeipa-users] Setting up Active Directory trusts in a secure environment

Dan Mossor danofsatx at gmail.com
Fri Jul 31 16:04:04 UTC 2015 

On 07/31/2015 10:08 AM, Sumit Bose wrote:
> On Fri, Jul 31, 2015 at 09:23:53AM -0500, Dan Mossor wrote:
>> On 07/31/2015 02:52 AM, Sumit Bose wrote:
>>>
>>> Thank you for the detailed analysis. I guess the 'server was
>>> inaccessible' error is due to the fact that currently FreeIPA does not
>>> have a global catalog, because Windows typically tries to get SIDs from
>>> remote objects from the Global Catalog.
>>>
>>>>
>>>> So, to those of y'all that operate in secure environments, what trick do you
>>>> use to fully integrate IPA and Active Directory?
>>>
>>> With FreeIPA-4.2 the one-way trust feature is introduced. The main
>>> difference to the current scheme is that with one-way trust the FreeIPA
>>> server does not use its host credentials (host keytab) from the IPA
>>> domain to access the AD DC but uses the trusted domain user
>>> (IPADOM$@AD.DOMAIN) to access the AD DC. Since this is an object from
>>> the AD domain it should be possible to assign the needed permissions to
>>> this object.
>>>
>>> Currently I have no idea how this can be solved with older version.
>>> Maybe there is a toll on the Windows side which lets you add SIDs
>>> manually into the "Access this computer from the network" policy? If
>>> there is one you can try to add IPA-SID-515 (where you have to replace
>>> IPA-SID by the IPA domain SID).
>>>
>>> HTH
>>>
>>> bye,
>>> Sumit
>>>
>>
>> I didn't think the SID was even being evaluated - the authentication being
>> attempted was through Kerberos, which I uderstand only uses host keytabs,
>> not SIDs. Am I correct in this situation?
>
> yes and no :-) The keytab is used to get a TGT and then a cross-realm
> TGT from the IPA KDC. The IPA KDC will add a PAC to the TGTs which
> contains additional authorization data including SIDs. The PAC is then
> used on the Windows side to evaluate if access is granted or not.
>
> bye,
> Sumit
>

Building on what you said regarding the one-way trust, I already have an 
IPA user in Active Directory that I created when I was initially setting 
this up as a synchronized domain instead of a trust.

There are two ways I can go here - I can either revert back to the 
password sync and replication, or somehow convince IPA to use that user 
for the trust relationship. I suspect it will impossible without a patch 
to use a user account instead of Kerberos for the trust, so that leaves 
going back to the replication setup.

Our ultimate goal in the environment is single sign on - when our users 
log into their Windows 7 workstations, they shouldn't then have to log 
into the chat server, the wiki, and mercurial; all those extra services 
running on Linux should be able to accept the Active Directory credentials.

One final option I have, since this is a very small network, is to just 
join my Linux servers to the Active Directory domain, and not use the 
FreeIPA intermediary.

-- 
Dan Mossor, RHCSA
Systems Engineer
Fedora Server WG | Fedora KDE WG | Fedora QA Team
Fedora Infrastructure Apprentice
FAS: dmossor IRC: danofsatx
San Antonio, Texas, USA

More information about the Freeipa-users mailing list