Hi all,
Thanks! This explains a lot, I'm happy :)
Winfried
Alexander Bokovoy via FreeIPA-users schreef op 26-10-2018 11:16:
On pe, 26 loka 2018, Winfried de Heiden wrote:
Hi all,
Refering to this bit of older post,
What now the difference between a One-way or Two-Way Trust anyway....?
The docs are not too clear abut it:
" Two-way trust enables AD users and groups to access resources in
IdM.
However, the two-way trust in IdM does not give the users any
additional
rights compared to the one-way trust solution in AD. Both solutions
are
considered equally secure because of default cross-forest trust SID
filtering settings"
What a use-case for using a Two-Way Trust? (since Windows cannot use
IPA as a AD replacement)
Originally we implemented two-way trust first because it was easier to
do than one-way trust from technical perspective. It allowed machines
from IPA domain to directly query AD DCs about needed information using
their own host/... Kerberos principals for authentication purposes.
However, a lot of customers were concerned with with AD trusting IPA
because it wasn't how AD domain controllers resolved identities (and
ran
authentication proxying) over trust. We implemented one-way trust with
a
proper setup and actually moved to always use the credentials
one-way-like in two-way trust too with FreeIPA 4.6/latest SSSD
1.15/1.16.
However, there is one missing part for a one-way trust: a one-way trust
with a shared secret. If you are using a shared secret that is provided
to you by AD admins (as opposed to be generated by 'ipa trust-add'
automatically), one-way trust cannot be established. A long story
short,
both FreeIPA and SSSD lacked required logic to allow Windows to
perform validation of the trust in this case from a Windows UI and we
couldn't initiate the validation from IPA side as we didn't have
administrative credentials to AD DCs.
So right now two-way trust with a shared secret is your solution for
this case, although I'd rather suggest to establish a normal one-way
trust with AD admin credentials to get a stronger trust secret
generated
for you by 'ipa trust-add'.
Winfried
-----Oorspronkelijk bericht-----
Van: Alexander Bokovoy via FreeIPA-users
<freeipa-users@lists.fedorahosted.org>
Antwoord-naar: FreeIPA users list
<freeipa-users@lists.fedorahosted.org>
Aan: FreeIPA users list <freeipa-users@lists.fedorahosted.org>
Cc: Michal Sladek <mic...@sladkovi.eu>, Alexander Bokovoy
<aboko...@redhat.com>
Onderwerp: [Freeipa-users] Re: Is IPA-AD two-way trust really two-way?
Datum: Thu, 23 Aug 2018 12:08:17 +0300
On to, 23 elo 2018, Michal Sladek via FreeIPA-users wrote:
Hello,
I would like to use IPA server in heterogeneous environment with Linux
servers and Windows workstations.IPA domain would be used as a primary
source of users and groups.AD domain would be used for management of
Widows hosts only (group policies etc.).
I have setup a test network with two-trust between AD and IPA
domainand realized, that IPA domain sees AD users but AD domain
doesn't seeIPA users. Am I missing something or the two-way trust is
not two-wayin fact?It is two-way in principle. However, FreeIPA does
not implement featuresrequired by AD DC to resolve IPA users on
Windows workstations. It is onour long term roadmap.
-- / Alexander BokovoySr. Principal Software EngineerSecurity /
Identity Management EngineeringRed Hat Limited,
Finland_______________________________________________FreeIPA-users
mailing list -- freeipa-users@lists.fedorahosted.orgTo unsubscribe
send an email to freeipa-users-leave@lists.fedorahosted.orgFedora Code
of Conduct: https://getfedora.org/code-of-conduct.htmlList Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelinesList Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/OJCXN7VI2NZAUWUHVZDKEZB7SF72NSR2/
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
