On Tue, Jul 09, 2013 at 02:12:33PM +0300, Alexander Bokovoy wrote: > On Tue, 09 Jul 2013, Jakub Hrozek wrote: > >On Wed, Jul 03, 2013 at 02:53:55PM +0200, Sumit Bose wrote: > >>On Wed, Jul 03, 2013 at 01:00:43PM +0300, Alexander Bokovoy wrote: > >>> On Mon, 01 Jul 2013, Sumit Bose wrote: > >>> >Hi, > >>> > > >>> >this patch fixes https://fedorahosted.org/freeipa/ticket/3651 but only > >>> >to allow SSSD running on a FreeIPA server to access the AD LDAP server. > >>> >In the ticket a more generic solution is described but since there is no > >>> >other use case so far I think this patch is sufficient for the time > >>> >being. > >>> > > >>> >bye, > >>> >Sumit > >>> > >>> >From a707d8f9d771dfe4fb8487e051519dba0ef72449 Mon Sep 17 00:00:00 2001 > >>> >From: Sumit Bose <sb...@redhat.com> > >>> >Date: Mon, 1 Jul 2013 13:47:22 +0200 > >>> >Subject: [PATCH] Add PAC to master host TGTs > >>> > > >>> >For a proper SALS bind with GSSAPI against an AD LDAP server a PAC is > >>> >needed. To allow SSSD in ipa_server_mode to access the LDAP or GC server > >>> >of a trusted domain with the credentials of a FreeIPA server host a > >>> >PAC must be added to the TGT for the host. > >>> s/SALS/SASL/ > >> > >>Thank you for the review, I've fixed the typo and added the numerical > >>values for the well-known RIDs to the commit message. > >> > >>> > >>> > >>> >To determine if a host is a FreeIPA server or not it is checked if there > >>> >is an entry for the host in cn=master,cn=ipa,cn=etc,$base. Unfortunately > >>> >this requires an additional LDAP lookup. But since TGS-REQs for hosts > >>> >should be rare I think it is acceptable for the time being. > >>> I think it is better to change this lookup to > >>> "cn=ADTRUST,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX", it would > >>> explicitly limit us to the IPA masters running AD trusts. > >> > >>I'm not sure if this restriction is needed. With SSSD's ipa_server_mode > >>any IPA master (which networkwise can access an AD server of the trusted > >>domain) can read AD user and group data, no running smbd or winbind is > >>required. So it would be possible to run the extdom plugin or the compat > >>plugin for the legacy clients on any IPA server which would allow a much > >>better load balancing. > >> > >>If there are other concerns I'm happy to add the restriction. > >> > >>bye, > >>Sumit > > > >I don't think I know the code good enough to provide a full review, but > >the patch enables the lookups from an IPA master without any additional > >hacks. So ack on functionality at least. > Ok. > > I've extended this functionality to generate MS-PAC also for services > running on IPA masters. Patch attached. > > This is needed to finally get rid of access to trust auth material for > IPA python code. HTTP/fqdn@REALM will now be able to authenticate > against AD LDAP server and look up needed information directly, without > elevating privileges to trust admins. > > This should also help for AD range discovery Tomas is working on. >
Hi, The patch looks good to me so I'm giving my +1. I would appreciate other review too before a full ack, though. _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel