[Freeipa-users] Mapping users from AD to IPA KDC

Alexander Bokovoy abokovoy at redhat.com
Mon Dec 5 07:02:32 UTC 2016 

On su, 04 joulu 2016, TomK wrote:
>Could not get much from logs and decided to start fresh.  When I run this:
>
>ipa trust-add --type=ad mds.xyz --admin Administrator --password
>
>Trust works fine and id tom at mds.xyz returns a valid result.
>
>However when I run the following on both masters on a fresh new setup:
>
>ipa-adtrust-install --netbios-name=NIX -a "<SECRET>"
>ipa trust-add --type=ad "mds.xyz" --trust-secret
>
>and created a trust object in AD DC with the name of NIX and a 
>non-transitive trust, the above did NOT work.  I didn't get anything 
>by typing id tom at mds.xyz.  (I do not get an option for a Forest Trust 
>as the gif on this page suggests: 
>https://www.freeipa.org/page/Active_Directory_trust_setup .  Possibly 
>it's Server 2012 hence the difference in what's presented to me but 
>another reason is that the name I type for the trust can't resolve to 
>an IP for now: nix.mds.xyz . So I use NIX to match the bios name used 
>on the ipa-adtrust-install command above.  )
The shared secret case for one-way trust is known to be broken. When a
shared half is created on AD side first, it is marked as not yet valid
by Windows and currently we cannot perform validation of it from IPA
side. Validating it from AD side is not possible as well as we don't
provide all interfaces Windows would like to use.

And the fact you cannot see 'Forest Trust' type of the trust says also
that you have problems with reaching IPA masters from AD DC side for
probing purposes over CLDAP ping (389/UDP) and then SMB (445/TCP and
UDP).

>I went back to the trust object in AD and set it to Transitive from 
>Non-transitive.  And all of a sudden I can resolve the AD ID's on the 
>IP Servers and all is working fine.  Great!
>
>I could not follow the section within the online document above for 
>setting up forwarders.  I had to delegate nix.mds.xyz from the two AD 
>/ DNS Clustered Windows Server 2012 servers to the two FreeIPA servers 
>(idmipa01, idmipa02) .  I found that the forwarding section doesn't 
>quite jive well with delegation in Windows Server 2012.
Whatever you do to forward DNS in a DNS-compliant way should be enough.
The documentation typically tries to explain that there are multiple
ways to achieve this, from hackish to standards-compliant.

>The remaining questions I need to ask is does the NetBIOS name used on 
>the ipa-adtrust-install command above have to match the AD DC Trust 
>object name?  Any tie's between the naming of the two?  ( Thinking no 
>tie in but not 100% . Seems AD expects a domain that resolves to an IP 
>)
100% tied, this is AD requirement.

Each domain has domain name in NetBIOS, domain name in DNS, and SID. The
first two must be matching and on DNS level AD expects both to resolve
properly. It is a legacy from NT times that _all_ trusted domain objects
are named as NetBIOS$, as well as _all_ computer objects have the same
style names COMPUTER$. This is enforced on multiple levels, from SMB to
Kerberos.

What 'resolve' means here is that DNS searches for different types of
SRV records should succeed, and then CLDAP ping to the servers which are
mentioned in the _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.$DOMAIN
or _ldap._tcp.dc._msdcs.$DOMAIN should succeed too.


>Also, given this setup I have:
>
>1) The two windows servers, winad01, winad02 are both DNS, AD servers 
>and are clustered (NLB)
>
>2) Have DNS delegation on nix.mds.xyz so FreeIPA servers will be 
>authoritative for that subdomain.
>
>3) AD Trust objects look for a resolvable domain (ie nix.mds.xyz) and 
>current version of FreeIPA does not yet resolve nix.mds.xyz to any IP 
No, this is not required. What required, is that trust object is
correctly set, and it involves a lot more than what you are outlining.
As you can see above, resolving nix.mds.xyz to IP is not required, but
DNS SRV records like _ldap._tcp.dc._msdcs.nix.mds.xyz should be
resolvable.

>4) IPA ipa-adtrust-install only accepts NetBIOS names.
ipa-adtrust-install configures what is missing from the base setup
related to the trust to AD. NetBIOS name is missing, thus is added.

>
>Is it at all possible to setup a non-transitive trust with all that?  
>( I might just not be seeing the forest through the trees  :) - Pun 
>Intended. )   Still new to quite a bit of this so thank you for your 
>patience and feedback.
Non-transitive trust is called 'external trust' in AD jargon. It can be
established to any domain in a forest. We support it from FreeIPA 4.4
with --external=true option to 'ipa trust-add'.

With non-transitive trust only users from directly trusted domain can be
seen and authenticated.

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list