[Freeipa-users] IPA-AD ldap acces - account ?
Alexander Bokovoy
abokovoy at redhat.com
Wed Aug 17 14:12:28 UTC 2016
On Wed, 17 Aug 2016, Jan Karásek wrote:
>Hi,
>
>please could somebody explain how and and with which account IPA is
>accessing DC in IPA - AD trust scenario. Is is possible to simulate
>with ldapsearch some query to AD with the same permission as IPA
>server?
Depends on what trust we have. For two-way trust SSSD on IPA masters
uses host/master.ipa.domain at IPA.DOMAIN principal because we map it to a
SID with a special well-known RID 'Domain Computers' (-515) and attach
an MS-PAC record to the TGT issued for this service principal.
For one-way trust SSSD on IPA masters uses so-called TDO account. These
are special accounts in AD domains which look like a machine account
(FOO$) but instead use NetBIOS name of the trusted forest and have
specific attributes associated with it.
>We have some issues with reading ldap object from AD and I would like
>to simulate that from command line.
Simplest way is to do something like this on IPA master for one-way
trust:
# klist -kt /var/lib/sss/keytabs/<trust>.keytab
notice the principal name there, let's say it is NAME$@TRUST
# kinit -kt /var/lib/sss/keytabs/<trust>.keytab 'NAME$@TRUST'
# ldapsearch -H ad.dc -Y GSSAPI ....
For two-way trust it is enough to kinit as IPA master host principal:
# kinit -k
# ldapsearch -H ad.dc -Y GSSAPI ...
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list