On Thu, Jul 30, 2015 at 05:35:53PM -0500, Dan Mossor wrote: > Greetings, folks. > > So, I've been fighting with getting a trust set up between FreeIPA 4.1 on > CentOS 7.1 and Windows Server 2008r2 for nearly a week. Today I finally came > to a conclusion as to what my issue is. > > I operate a secure network in which we have configuration guidlines for > securing Windows that we have to meet in order to recieve what's known as an > "Authority to Operate", or ATO. A lot of this configuration is done in the > Global Policies. > > Today I stumbled across one error buried in the Windows Security event log, > and when correllated with the errors I was seeing from FreeIPA led me to our > policy. The error that popped up in the event log was "The user has not been > granted the requested logon type at this machine." The logon type was "3", > which is network, and the Logon Process and Authorization Package were both > Kerberos. > > Cross referenced with the error on the IPA server: > "WARNING: Search on AD DC WINSRV.ad.domain.net:3268 failed with: > Insufficient access: 8009030C: LdapErr: DSID-0C0904DC, comment: > AcceptSecurityContext error, data 569, v1db1 Invalid Credentials" > > Digging into our Domain Controller policy, I found that "Access this > computer from the network" is restricted to Domain Users, Domain > Controllers, Domain Computers, Domain Admins, and BUILTIN\Administrators. I > attempted to add a context that would allow the IPA server to log on, and > got so far through the wizard that it let me select the trusted domain to > search and returned a list of security contexts, but when I attempted to add > one (Authenticated Users), I recieved the error that it couldn't be found > because the server was inaccessable. I saw no errors on the IPA side during > this transaction.
Thank you for the detailed analysis. I guess the 'server was inaccessible' error is due to the fact that currently FreeIPA does not have a global catalog, because Windows typically tries to get SIDs from remote objects from the Global Catalog. > > So, to those of y'all that operate in secure environments, what trick do you > use to fully integrate IPA and Active Directory? With FreeIPA-4.2 the one-way trust feature is introduced. The main difference to the current scheme is that with one-way trust the FreeIPA server does not use its host credentials (host keytab) from the IPA domain to access the AD DC but uses the trusted domain user (IPADOM$@AD.DOMAIN) to access the AD DC. Since this is an object from the AD domain it should be possible to assign the needed permissions to this object. Currently I have no idea how this can be solved with older version. Maybe there is a toll on the Windows side which lets you add SIDs manually into the "Access this computer from the network" policy? If there is one you can try to add IPA-SID-515 (where you have to replace IPA-SID by the IPA domain SID). HTH bye, Sumit > > -- > Dan Mossor, RHCSA > Systems Engineer > Fedora Server WG | Fedora KDE WG | Fedora QA Team > Fedora Infrastructure Apprentice > FAS: dmossor IRC: danofsatx > San Antonio, Texas, USA > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project