Thank you, the design page reads well to me. I had a short chat with Alexander where we cleared up some confusion.
On Mon, Feb 23, 2015 at 06:02:53PM +0200, Alexander Bokovoy wrote: > == New design == > In order to support one-way trust to Active Directory, we need to switch > SSSD in IPA master mode to use TDO credentials when resolving AD users > and groups. This is a high level description of the design, and majority > of work to allow the switch will be done by SSSD team. Corresponding > ticket tracker on SSSD side is > [https://fedorahosted.org/sssd/ticket/2579 ticket 2579], the text below > is an overview of the design. > > On each IPA master SSSD runs in "IPA master mode". This mode means that > in case of existing trust to AD forest, SSSD will directly resolve AD > users and groups against Active Directory Domain Controllers. To perform > user/group resolution, SSSD needs to authenticate against AD LDAP > servers and it does so using Kerberos authentication based on a > host/ipa.master@IPA.REALM service ticket. The ticket towards AD LDAP > services is issued by FreeIPA KDC with the help of cross-realm trust > credentials. > > For one-way trust SSSD cannot use this approach because Active Directory > Domain Controllers do not trust FreeIPA realm and, therefore, no > cross-realm trust credentials exist in AD for FreeIPA realm. However, > SSSD can use TDO object which always exists in AD for the trusting > domain (cross-forest trust is done by forest root domains' trust). This > means the ticket SSSD would need to request belongs to a different realm > (AD forest root realm) rather than to FreeIPA realm. > > As FreeIPA supports multiple trusts to separate Active Directory > forests, a support for multiple separate tickets is required. SSSD will > need to gain ability to use different credentials caches to store TDO > tickets and use different keytabs with TDO credentials to obtain the > ticket from an Active Directory Domain Controllers. > > In order to separate privilege access, FreeIPA masters have to provide > keytabs for SSSD running on IPA masters, one keytab per trusted AD > forest, so that SSSD could request the keys when required. I will experiment with retrieving keytabs manually for now to simulate this part, then I'll write up a more detailed design on how to handle the one-way trusts. > > Additionally, FreeIPA management framework will need to change its > defaults from producing a two-way trust to a one-way trust. Two-way > trust will be added back when support for Global Catalog service will be > added so that Active Directory resources could be properly accessed and > access to them discretionally granted to FreeIPA users and groups. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code