[Freeipa-users] IPA-AD ldap acces - account ?
Jan Karásek
jan.karasek at elostech.cz
Thu Aug 18 11:53:38 UTC 2016
Hi,
thank you. We are experiencing problems with LDAP access from IPA servers in IPA-AD scenario with one-way trust (Win 2012).
So for ldap access IPA uses the xyz$@domain special trust account. According my lab - this account is on the AD side considered as a member of Authenticated users group. By default Authenticated users are member of group Pre-Windows 2000 Compatible Access, and this group have read permission on object type User and therefore IPA is able to read POSIX attributes from these objects. (tested in my lab environment)
In our case - due to security team - there is no possibility for Authenticated users to read user's objects - and then IPA is unable to read objects from AD ldap. So we have situation, where kerberos works OK but we are not able to get POSIX attributes from ldap.
This situation could have been solved by adding read permission directly to the IPA access account(TDO), but unfortunately it looks like it is not possible.
Questions :
1. Do the IPA depends on ability of Authenticated users group to access user's objects attributes ?
2. Is it possible to setup some other "standard" service account for IPA access to AD ldap ?
Thank you,
Jan
From: "Alexander Bokovoy" <abokovoy at redhat.com>
To: "Jan Karásek" <jan.karasek at elostech.cz>
Cc: freeipa-users at redhat.com
Sent: Wednesday, August 17, 2016 4:12:28 PM
Subject: Re: [Freeipa-users] IPA-AD ldap acces - account ?
On Wed, 17 Aug 2016, Jan Karásek wrote:
>Hi,
>
>please could somebody explain how and and with which account IPA is
>accessing DC in IPA - AD trust scenario. Is is possible to simulate
>with ldapsearch some query to AD with the same permission as IPA
>server?
Depends on what trust we have. For two-way trust SSSD on IPA masters
uses host/master.ipa.domain at IPA.DOMAIN principal because we map it to a
SID with a special well-known RID 'Domain Computers' (-515) and attach
an MS-PAC record to the TGT issued for this service principal.
For one-way trust SSSD on IPA masters uses so-called TDO account. These
are special accounts in AD domains which look like a machine account
(FOO$) but instead use NetBIOS name of the trusted forest and have
specific attributes associated with it.
>We have some issues with reading ldap object from AD and I would like
>to simulate that from command line.
Simplest way is to do something like this on IPA master for one-way
trust:
# klist -kt /var/lib/sss/keytabs/<trust>.keytab
notice the principal name there, let's say it is NAME$@TRUST
# kinit -kt /var/lib/sss/keytabs/<trust>.keytab 'NAME$@TRUST'
# ldapsearch -H ad.dc -Y GSSAPI ....
For two-way trust it is enough to kinit as IPA master host principal:
# kinit -k
# ldapsearch -H ad.dc -Y GSSAPI ...
--
/ Alexander Bokovoy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160818/ba11f8e9/attachment.htm>
More information about the Freeipa-users
mailing list