[Freeipa-users] FreeIPA v 2.2 in an AD environment

Dmitri Pal dpal at redhat.com
Mon Nov 5 23:45:15 UTC 2012 

On 11/05/2012 01:40 PM, William Muriithi wrote:
> Rich,
>
>> In addition to other comments I want to step back and give a bit of a
>> bigger picture.
>> 1) Regardless of what approach you choose we recommend using the latest
>> available version at the moment of deployment.
> Good suggestion.  This mean I should use version 3. Problem that would
> have to run Fedora 17 and not happy with that option.  Think I may
> have to wait for 6.4 before changing current setup as I like the trust
> setup more than the sync alternative
>
>> 2) There are two different approached to dealing with AD - sync or
>> trust. You need to chose what approach you want to use. Down the road
>> there might be some hybrid solutions but so far they are not supported.
>>
>> Sync: available starting the beginning of the IPA life. It has some
>> limitations and we indeed had some issues with the corner cases that
>> Steve's environment has. They are not common but you have been warned
>> anyways.
> Ok
>
>> Trust:
>> a) Trusts are targeting RHEL 6.4
>> b) There is no upgrade from Sync to Trust solution. If you want trusts
>> you need to upgrade what you have to 6.4 (or start over) and implement
>> trusts there and not do Sync.
>> c) To take advantage of trusts your clients must be SSSD 1.9.x otherwise
>> the trusts would not work. This also means that if you have other UNIXes
>> the trusts would not work there.
> That sucks. Would have been better if it only affected IPA server.
> Hopes there will not be too many dependencies that would make it
> impossible of updating to SSSD 1.9.x.  why is this necessary if I may
> ask?  Though most of the changes would be limited to the server side?

Unfortunately know. The client does a lot of heavy lifting. Client needs
to understand that the ticket the user is using to access the system is
coming from AD thus has authorization data in the form of MS-PAC. This
data need to be extracted and processed. The remapping of the MSFT ids
called SIDs needs to be conducted, the SIDs need to be resolved to names
so that when you say id you can get user name from AD. The interactions
happen with IPA since some of the information is provided and controlled
by IPA while some other things need to be looked up in AD.
Trust is a very complex environment. There was a lot of development that
IPA and SSSD project teams worked on jointly.

>
> Actually, a better question is, whats the difference between sync and
> trust?  To me, sync mean pushing the username password pair through
> the passsync while trust mean pushing the username and password
> through samba4. Is this correct?

No. The trust means no pushing. Once you establish trust between IPA and
AD users will remain in AD and would be able to access systems and
resources managed by IPA without any push of the accounts and passwords
from AD to IPA or any other place. That is the beauty. All AD users
still authenticate against AD, get Kerberos ticket and then using this
ticket can contact systems and services on the IPA side.

>
>> If you have UNIX clients that need to be accessed by AD users you might
>> explore some hybrid solutions that might work but we can't say for sure.
>> For example the sync might actually work in parallel to trusts to some
>> extent. There is also PAM pass through capability that comes with 6.4 as
>> a tech preview. That would allow  pass through LDAP auth for the non
>> SSSD 1.9 clients. But this needs to be tried out and there might be dragons.
>>
> Interesting, sound scarily to go there.  Thank you

Not that scary. Just depends on you level of comfort about experimenting
with your test environment and proving something works.
We have seen on multiple occasions when people asked us something and we
said "it might work, we are not sure" and people tried and were successful.
Such experiments have a benefit of once being tried and recorded they
(if not absolutely crazy) pave a way for future support of the feature
in RHEL.

>>
> William
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager for IdM portfolio
>> Red Hat Inc.
>>
>>
>> -------------------------------
>> Looking to carve out IT costs?
>> www.redhat.com/carveoutcosts/
>>
>>
>>
>>
>>
>> ------------------------------
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>> End of Freeipa-users Digest, Vol 52, Issue 9
>> ********************************************
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list