[Freeipa-users] AD Sync and groups

[malo]

Hi,

Thank your for your reply, it really is much clearer to me now.

I think I get why SSSD offline authentication would help to solve "AD 
unreachable" issue.

If I understood well, the SSSD on the IPA master would cache 
credentials, allowing the user to log in (as in the kinit meaning) even 
if the AD is unreachable ?

At last, I did not quite understand how the KDC proxy would help to 
prevent network related issues.

To me it is just a way to allow users with restrictive firewall rules to 
authenticate and requests ticket, if I understood well (from this doc 
https://www.freeipa.org/page/V4/KDC_Proxy)

Thanks again for your help,

Nathan

On 07/26/2016 10:30 AM, Alexander Bokovoy wrote:
> On Tue, 26 Jul 2016, malo wrote:
>> Hello,
>>
>> I am currently setting up an architecture involving FreeIPA to 
>> provide SSO for SSH to the servers.
>> I have several servers (~1500) in a few datacenters all over the 
>> world (North America, South America, Europe, Asia).
>> The idea here was to have 4 masters/replicas per datacenter, with one 
>> master/replica involved in a winsync replication process with our AD. 
>> Thus, we would not suffer network outages, slow downs or timeouts 
>> because each FreeIPA server would have a closer database of users 
>> instead of querying a long distance AD.
>>
>> I've managed to setup successfully the winsync replication (after 
>> having trouble with replication rights).  I then turned on group 
>> replication :
>>
>> ldapmodify -x -D "cn=directory manager" -w PASS
>>
>> dn: 
>> cn=meToad.XXX.example.com,cn=replica,cn=dc\3Dipa\2Cdc\3Dff\2Cdc\3Dxxx\2Cdc\3Dexample\2Cdc\3Dcom,cn=mapping 
>> tree,cn=config
>> changetype: modify
>> replace: nsds7NewWinGroupSyncEnabled
>> nsds7NewWinGroupSyncEnabled: true
>>
>>
>> I re-initialized the replication but I have no groups.
>> I did a little digging and came on this : 
>> https://bugzilla.redhat.com/show_bug.cgi?id=1002414
>> Very unfortunate for me but a few things bother me.
>>
>> It says "reenable" in the RFE and I also found this documentation : 
>> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Groups.html
>
> There is a difference between 389-ds winsync and FreeIPA winsync. The
> latter is a simplified version that doesn't see development anymore and
> is not supporting group sync because groups on IPA side are sufficiently
> different from AD groups while generic 389-ds winsync plugin is not
> tuned to IPA DIT.
>
>> It clearly specifies how to sync groups, which I enabled, but 
>> nothings happen for me.
>> So, my questions would be :
>> - Is winsync group sync still enabled ?
>> - If not, why and when has it been disabled ?
>> - Is there anyway I could reenable it, by digging into the code ?
>>
>> Group sync seems a really MUST HAVE as a feature for the winsync, 
>> since flat hierarchy is not really useful, imho.
> IPA uses flat hierarchy and has no support for non-flat DIT.
>
>> I can't consider an AD Trust architecture, It would be too dangerous 
>> since the network connectivity of the AD is not safe enough, I could 
>> not risk to block SSH access on my servers because of network lag.
>>
>> Has anyone been in a similar situation ? Do you have implemented AD 
>> trust or winsync replication in such a large scale ?
> I cannot tell about actual deployments but there are plenty deployments
> with trust to AD in multiple data centers.
>
> If you need, with FreeIPA 4.0+ you can actually proxy Kerberos
> authentication via IPA servers to AD DCs and also can do offline
> authentication in SSSD.