[Freeipa-users] Re: cross realm trust - without win AD credentials ?

Tue, 06 Mar 2018 04:04:32 -0800 


On 06/03/18 11:13, Alexander Bokovoy wrote:

On ti, 06 maalis 2018, lejeczek via FreeIPA-users wrote:



On 06/03/18 07:28, Florence Blanc-Renaud wrote:

On 05/03/2018 19:01, lejeczek via FreeIPA-users wrote:

hi guys


I wonder if it is(would be) possible to have IPA join 
AD but

so IPA admin only asks AD admin(s) to do whatever is
required and then s/he does IPA end?

And a reason you would do that is - domains are 
formally(and

in other ways) separate that AD admin would have to keep
secret and not share any of those AD credentials you would
normally use in IPA to add such a trust.

many thanks, L.
_______________________________________________

FreeIPA-users mailing list -- 
freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org

Hi,


it is possible to use a shared secret instead of the AD 
admin credentials when establishing the trust:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/trust-during#create-trust-shared-secret 




Does this address your concern?
Flo


That might be exactly it!

I'm trying "one way" and while the command succeeded I 
saw this:

...

Domain Security Identifier: 
S-1-5-21-3110176660-1847390102-3050341588
  SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, 
S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5,
                          S-1-5-6, S-1-5-7, S-1-5-8, 
S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13,
                          S-1-5-14, S-1-5-15, S-1-5-16, 
S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, 
S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5,
                          S-1-5-6, S-1-5-7, S-1-5-8, 
S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13,
                          S-1-5-14, S-1-5-15, S-1-5-16, 
S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20

  Trust direction: Trusting forest
  Trust type: Active Directory domain
  Trust status: Waiting for confirmation by remote side
  gidnumber: 1416100000

  ipantsecurityidentifier: 
S-1-5-21-690266907-396463273-2110627865-1004

  ipantsupportedencryptiontypes: 28
  ipanttrustdirection: 1
...

Now I'm trying to ssh to IPA as:

$ ssh a...@ad.priv.dom.local@10.1.1.1


but this fails as if the password was incorrect, which 
naturally is not true.

Is the problem "one way" trust?

One-way trust with a shared secret is not working 
currently. Either use

two-way trust with a shared secret or use admin credentials.


If you are interested in the details, just search mailing 
archives.





Oogh, gee, if you guys could make one-way work... I could 
not stress it enough... f a n t a s t i c that would be.


b.w. L.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org






















					Reply via email to