[Freeipa-users] IPA-AD ldap acces - account ?
Jan Karásek
jan.karasek at elostech.cz
Thu Aug 18 14:39:37 UTC 2016
Great ! Thank you very much. It works !
Regards,
Jan
From: "Alexander Bokovoy" <abokovoy at redhat.com>
To: "Jan Karásek" <jan.karasek at elostech.cz>
Cc: freeipa-users at redhat.com
Sent: Thursday, August 18, 2016 4:03:14 PM
Subject: Re: [Freeipa-users] IPA-AD ldap acces - account ?
On Thu, 18 Aug 2016, Jan Karásek wrote:
>Hi,
>thank you. We are experiencing problems with LDAP access from IPA
>servers in IPA-AD scenario with one-way trust (Win 2012).
>
>So for ldap access IPA uses the xyz$@domain special trust account.
>According my lab - this account is on the AD side considered as a
>member of Authenticated users group. By default Authenticated users are
>member of group Pre-Windows 2000 Compatible Access, and this group have
>read permission on object type User and therefore IPA is able to read
>POSIX attributes from these objects. (tested in my lab environment)
>
>In our case - due to security team - there is no possibility for
>Authenticated users to read user's objects - and then IPA is unable to
>read objects from AD ldap. So we have situation, where kerberos works
>OK but we are not able to get POSIX attributes from ldap.
Create a group that could be granted such access, add TDO object there.
>This situation could have been solved by adding read permission
>directly to the IPA access account(TDO), but unfortunately it looks
>like it is not possible.
Why is it not possible? The account is in AD, one can always grant
it more permissions there.
>
>Questions :
>
>1. Do the IPA depends on ability of Authenticated users group to access
>user's objects attributes ?
At the very least, yes. Otherwise you need to grant more permissions to
the TDO account in AD, even though you cannot directly get access to the
account from non-advanced UI view. However, even Samba 'net' utility
works fine:
1. Create a group in the forest root domain:
# net rpc group add trust-rpc-readonly -S w12.ad.test -UAdministrator%PASSWORD
2. Add our TDO object to the group:
# net rpc group addmem trust-rpc-readonly 'IPAAD$' -S w12.ad.test -UAdministrator%PASSWORD
3. Check that TDO oubject is part of the group
# net rpc group members trust-read-only -S w12.ad.test -UAdministrator%PASSWORD
AD\IPAAD$
Now you can go to UI and assign specific privileges to the group.
>2. Is it possible to setup some other "standard" service account for
>IPA access to AD ldap ?
No.
>
>Thank you,
>Jan
>
>
>
>From: "Alexander Bokovoy" <abokovoy at redhat.com>
>To: "Jan Karásek" <jan.karasek at elostech.cz>
>Cc: freeipa-users at redhat.com
>Sent: Wednesday, August 17, 2016 4:12:28 PM
>Subject: Re: [Freeipa-users] IPA-AD ldap acces - account ?
>
>On Wed, 17 Aug 2016, Jan Karásek wrote:
>>Hi,
>>
>>please could somebody explain how and and with which account IPA is
>>accessing DC in IPA - AD trust scenario. Is is possible to simulate
>>with ldapsearch some query to AD with the same permission as IPA
>>server?
>Depends on what trust we have. For two-way trust SSSD on IPA masters
>uses host/master.ipa.domain at IPA.DOMAIN principal because we map it to a
>SID with a special well-known RID 'Domain Computers' (-515) and attach
>an MS-PAC record to the TGT issued for this service principal.
>
>For one-way trust SSSD on IPA masters uses so-called TDO account. These
>are special accounts in AD domains which look like a machine account
>(FOO$) but instead use NetBIOS name of the trusted forest and have
>specific attributes associated with it.
>
>>We have some issues with reading ldap object from AD and I would like
>>to simulate that from command line.
>
>Simplest way is to do something like this on IPA master for one-way
>trust:
>
># klist -kt /var/lib/sss/keytabs/<trust>.keytab
>
>notice the principal name there, let's say it is NAME$@TRUST
>
># kinit -kt /var/lib/sss/keytabs/<trust>.keytab 'NAME$@TRUST'
># ldapsearch -H ad.dc -Y GSSAPI ....
>
>For two-way trust it is enough to kinit as IPA master host principal:
>
># kinit -k
># ldapsearch -H ad.dc -Y GSSAPI ...
>
>
>--
>/ Alexander Bokovoy
>--
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project
--
/ Alexander Bokovoy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160818/75d4bc33/attachment.htm>
More information about the Freeipa-users
mailing list