<html> <head> <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1"> </head> <body bgcolor="#FFFFFF" text="#000000"> Hi, In a setup where FreeIPA + sssd act as an authentication for AD users (taking advantage of sssd's ability to act as an authentication client for AD users), why do we need to establish a (two-way) trust relationship? Ins't there a workaround for this, given that sssd is already able to authenticate users without having to do nothing on the DA-side (just need a read-only user to carry out the initial bind)? In a bit more detail: We'd like to use AD-based authentication on some Unix hosts (mostly Solaris 10) for which there's no sssd available (we're already using sssd on RHEL hosts); we were thinking of setting up a server with FreeIPA + sssd to act as sort of a proxy to the actual AD for authentication, for those hosts for which there's no sssd client available (based on this doc: <a class="moz-txt-link-freetext" href="http://www.freeipa.org/page/V3/Serving_legacy_clients_for_trusts">http://www.freeipa.org/page/V3/Serving_legacy_clients_for_trusts</a>). There reasons why we're doing this are basically: · there's no unix-compatibiliy available on the AD sever (and most likely there won't ever be) · we'd like to keep the same UID/GIDs for all users that already authenticate on the RHEL boxes (to be able to work on the same home directories, maintain homogenous file ownership accross shared ressources, etc.) So, we've set up: · a CentOS 7.0 host with ipa-server v3.3.3 and sssd v1.11.2 and configured (with domain: ipa-dom.com) · checked that sssd-based authenticacion to the AD server works on this box (AD-users in domain da-dom.com) · checked that the IPA server works for users created on the IPA server (domain e.g. <a class="moz-txt-link-abbreviated" href="mailto:user@ipa-dom.com">user@ipa-dom.com</a>) Now, to set up what we really wanted, which is basically, on a Unix-box with no sssd client, be able to authentica a <a class="moz-txt-link-abbreviated" href="mailto:user1@da-dom.com">user1@da-dom.com</a> via the FreeIPA-server, through sssd. But, the final step of the configuration process (cmd: ipa trust-add ...) requires to establish a two-way trust relationship between the IPA server and the AD DC, which requires AD administrator privileges (which we don't have, and I don't see why we should have them). The AD admins of the company are not willing to consider this trust relationship to be established because the regard this as a secury risk. My question is basically, isn't there a workaround for this situation? If sssd is already able to authenticate, and based on the explanations of the doc mentioned above, I can't see why for plaiin user authentication there must be a trust relationship established. We don't need that for any of our sssd-based hosts (and they haven't been added to the domain da-dom.com, no need to). Any suggestions? Maybe there are different setups and/or tool combinations for a this kind of scenario? Thanks a lot, <div class="moz-signature">-- <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1"> <title></title> <meta name="generator" content="LibreOffice 4.2.3.3 (Linux)"> <meta name="created" content="20140516;0"> <meta name="changed" content="20140516;141206408329958"> <style type="text/css">  </style> Gerardo Padierna<a href="mailto:asl.gerardo@gmail.com"></a> </div> </body> </html>