[Freeipa-users] Possible to fully proxy AD <-> FreeIPA?

[Alexander Bokovoy]

On ke, 22 maalis 2017, Dan Dietterich wrote:
>I am trying to understand if it is possible to NAT between a network
>running Active Directory (AD) and a network running FreeIPA and have
>one-way trust from FreeIPA to the AD.
>
>My hypothesis is that it is not possible, for two reasons. First, I
>understand that Kerberos uses several techniques (ip addresses in the
>protocol, reverse DNS lookups) to make sure there is no "man in the
>middle." The proxy is a man in the middle. Second, I understand that
>FreeIPA retrieves the layout of domain controllers (DC) from the
>initial AD DC it builds the trust with. The addresses returned are
>valid in the AD network and are not translated into the FreeIPA
>network. FreeIPA will not be able to route to those IP addresses.
I don't think this configuration will work. Specifically, discovery of
DCs closest to a client with CLDAP ping (done by all Windows clients and
SSSD) is required in Active Directory environment and indeed NATingn AD
network will not allow IPA masters to access AD DCs.


>I have read about proxying Kerberos protocol over https
>(https://web.mit.edu/kerberos/krb5-devel/doc/admin/https.html)
It is irrelevant here. Sure, IPA provides Kerberos proxy by default
already and you may use it but aside from Kerberos, we need access to
LDAP and DCE RPC services on AD side. These cannot be proxied in a sane
way.

>I have read about proxying LDAP (https://wiki.samba.org/index.php/OpenLDAP_as_proxy_to_AD)
Both 389-ds and OpenLDAP have backends to proxy LDAP requests to another
servers. However, this is not helpful in the case of AD because none of
those support proxying CLDAP (LDAP over UDP) which is key part of DC
discovery in AD. Also, there is no way to force such proxy to rewrite
addresses as you correctly noted.


-- 
/ Alexander Bokovoy