On Tue, 2013-07-09 at 22:39 +0200, Jakub Hrozek wrote: > On Tue, Jul 09, 2013 at 02:12:33PM +0300, Alexander Bokovoy wrote: > > On Tue, 09 Jul 2013, Jakub Hrozek wrote: > > >On Wed, Jul 03, 2013 at 02:53:55PM +0200, Sumit Bose wrote: > > >>On Wed, Jul 03, 2013 at 01:00:43PM +0300, Alexander Bokovoy wrote: > > >>> On Mon, 01 Jul 2013, Sumit Bose wrote: > > >>> >Hi, > > >>> > > > >>> >this patch fixes https://fedorahosted.org/freeipa/ticket/3651 but only > > >>> >to allow SSSD running on a FreeIPA server to access the AD LDAP server. > > >>> >In the ticket a more generic solution is described but since there is > > >>> >no > > >>> >other use case so far I think this patch is sufficient for the time > > >>> >being. > > >>> > > > >>> >bye, > > >>> >Sumit > > >>> > > >>> >From a707d8f9d771dfe4fb8487e051519dba0ef72449 Mon Sep 17 00:00:00 2001 > > >>> >From: Sumit Bose <sb...@redhat.com> > > >>> >Date: Mon, 1 Jul 2013 13:47:22 +0200 > > >>> >Subject: [PATCH] Add PAC to master host TGTs > > >>> > > > >>> >For a proper SALS bind with GSSAPI against an AD LDAP server a PAC is > > >>> >needed. To allow SSSD in ipa_server_mode to access the LDAP or GC > > >>> >server > > >>> >of a trusted domain with the credentials of a FreeIPA server host a > > >>> >PAC must be added to the TGT for the host. > > >>> s/SALS/SASL/ > > >> > > >>Thank you for the review, I've fixed the typo and added the numerical > > >>values for the well-known RIDs to the commit message. > > >> > > >>> > > >>> > > >>> >To determine if a host is a FreeIPA server or not it is checked if > > >>> >there > > >>> >is an entry for the host in cn=master,cn=ipa,cn=etc,$base. > > >>> >Unfortunately > > >>> >this requires an additional LDAP lookup. But since TGS-REQs for hosts > > >>> >should be rare I think it is acceptable for the time being. > > >>> I think it is better to change this lookup to > > >>> "cn=ADTRUST,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX", it would > > >>> explicitly limit us to the IPA masters running AD trusts. > > >> > > >>I'm not sure if this restriction is needed. With SSSD's ipa_server_mode > > >>any IPA master (which networkwise can access an AD server of the trusted > > >>domain) can read AD user and group data, no running smbd or winbind is > > >>required. So it would be possible to run the extdom plugin or the compat > > >>plugin for the legacy clients on any IPA server which would allow a much > > >>better load balancing. > > >> > > >>If there are other concerns I'm happy to add the restriction. > > >> > > >>bye, > > >>Sumit > > > > > >I don't think I know the code good enough to provide a full review, but > > >the patch enables the lookups from an IPA master without any additional > > >hacks. So ack on functionality at least. > > Ok. > > > > I've extended this functionality to generate MS-PAC also for services > > running on IPA masters. Patch attached. > > > > This is needed to finally get rid of access to trust auth material for > > IPA python code. HTTP/fqdn@REALM will now be able to authenticate > > against AD LDAP server and look up needed information directly, without > > elevating privileges to trust admins. > > > > This should also help for AD range discovery Tomas is working on. > > > > Hi, > > The patch looks good to me so I'm giving my +1. I would appreciate other > review too before a full ack, though.
I've nacked the approach, although the results are as expected. Alexander will send a simplified patch that avoids the extra search and use of managedby which is not ok. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
