[Freeipa-users] IPA-AD ldap acces - account ?

Jan Karásek jan.karasek at elostech.cz
Thu Aug 18 14:39:37 UTC 2016 

Great ! Thank you very much. It works ! 

Regards, 
Jan 


From: "Alexander Bokovoy" <abokovoy at redhat.com> 
To: "Jan Karásek" <jan.karasek at elostech.cz> 
Cc: freeipa-users at redhat.com 
Sent: Thursday, August 18, 2016 4:03:14 PM 
Subject: Re: [Freeipa-users] IPA-AD ldap acces - account ? 

On Thu, 18 Aug 2016, Jan Karásek wrote: 
>Hi, 
>thank you. We are experiencing problems with LDAP access from IPA 
>servers in IPA-AD scenario with one-way trust (Win 2012). 
> 
>So for ldap access IPA uses the xyz$@domain special trust account. 
>According my lab - this account is on the AD side considered as a 
>member of Authenticated users group. By default Authenticated users are 
>member of group Pre-Windows 2000 Compatible Access, and this group have 
>read permission on object type User and therefore IPA is able to read 
>POSIX attributes from these objects. (tested in my lab environment) 
> 
>In our case - due to security team - there is no possibility for 
>Authenticated users to read user's objects - and then IPA is unable to 
>read objects from AD ldap. So we have situation, where kerberos works 
>OK but we are not able to get POSIX attributes from ldap. 
Create a group that could be granted such access, add TDO object there. 

>This situation could have been solved by adding read permission 
>directly to the IPA access account(TDO), but unfortunately it looks 
>like it is not possible. 
Why is it not possible? The account is in AD, one can always grant 
it more permissions there. 

> 
>Questions : 
> 
>1. Do the IPA depends on ability of Authenticated users group to access 
>user's objects attributes ? 
At the very least, yes. Otherwise you need to grant more permissions to 
the TDO account in AD, even though you cannot directly get access to the 
account from non-advanced UI view. However, even Samba 'net' utility 
works fine: 

1. Create a group in the forest root domain: 
# net rpc group add trust-rpc-readonly -S w12.ad.test -UAdministrator%PASSWORD 

2. Add our TDO object to the group: 
# net rpc group addmem trust-rpc-readonly 'IPAAD$' -S w12.ad.test -UAdministrator%PASSWORD 

3. Check that TDO oubject is part of the group 
# net rpc group members trust-read-only -S w12.ad.test -UAdministrator%PASSWORD 
AD\IPAAD$ 

Now you can go to UI and assign specific privileges to the group. 

>2. Is it possible to setup some other "standard" service account for 
>IPA access to AD ldap ? 
No. 

> 
>Thank you, 
>Jan 
> 
> 
> 
>From: "Alexander Bokovoy" <abokovoy at redhat.com> 
>To: "Jan Karásek" <jan.karasek at elostech.cz> 
>Cc: freeipa-users at redhat.com 
>Sent: Wednesday, August 17, 2016 4:12:28 PM 
>Subject: Re: [Freeipa-users] IPA-AD ldap acces - account ? 
> 
>On Wed, 17 Aug 2016, Jan Karásek wrote: 
>>Hi, 
>> 
>>please could somebody explain how and and with which account IPA is 
>>accessing DC in IPA - AD trust scenario. Is is possible to simulate 
>>with ldapsearch some query to AD with the same permission as IPA 
>>server? 
>Depends on what trust we have. For two-way trust SSSD on IPA masters 
>uses host/master.ipa.domain at IPA.DOMAIN principal because we map it to a 
>SID with a special well-known RID 'Domain Computers' (-515) and attach 
>an MS-PAC record to the TGT issued for this service principal. 
> 
>For one-way trust SSSD on IPA masters uses so-called TDO account. These 
>are special accounts in AD domains which look like a machine account 
>(FOO$) but instead use NetBIOS name of the trusted forest and have 
>specific attributes associated with it. 
> 
>>We have some issues with reading ldap object from AD and I would like 
>>to simulate that from command line. 
> 
>Simplest way is to do something like this on IPA master for one-way 
>trust: 
> 
># klist -kt /var/lib/sss/keytabs/<trust>.keytab 
> 
>notice the principal name there, let's say it is NAME$@TRUST 
> 
># kinit -kt /var/lib/sss/keytabs/<trust>.keytab 'NAME$@TRUST' 
># ldapsearch -H ad.dc -Y GSSAPI .... 
> 
>For two-way trust it is enough to kinit as IPA master host principal: 
> 
># kinit -k 
># ldapsearch -H ad.dc -Y GSSAPI ... 
> 
> 
>-- 
>/ Alexander Bokovoy 

>-- 
>Manage your subscription for the Freeipa-users mailing list: 
>https://www.redhat.com/mailman/listinfo/freeipa-users 
>Go to http://freeipa.org for more info on the project 


-- 
/ Alexander Bokovoy 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160818/75d4bc33/attachment.htm>

More information about the Freeipa-users mailing list