On Wed, Aug 17, 2016 at 03:49:32PM +0200, Jan Karásek wrote: > Hi, > > please could somebody explain how and and with which account IPA is accessing > DC in IPA - AD trust scenario. Is is possible to simulate with ldapsearch > some query to AD with the same permission as IPA server? > > We have some issues with reading ldap object from AD and I would like to > simulate that from command line. > Thanks, > Jan
Identity lookups are performed by sssd running on the server. The authentication depends on the trust type. With two-way trusts, you can just use the system keytab. With one-way trusts, the keytab you'll want to use to authenticate is stored at /var/lib/sss/keytabs/ and is named after the forest. There should be a single principal there. You can authenticate with that principal and run the same search manually. You should add -Y GSSAPI to the ldapsearch line to make sure ldapsearch binds with GSSAPI. For example, in my setup I use: # ls /var/lib/sss/keytabs/ win.trust.test.keytab # ls /var/lib/sss/keytabs/win.trust.test.keytab /var/lib/sss/keytabs/win.trust.test.keytab # klist -k /var/lib/sss/keytabs/win.trust.test.keytab Keytab name: FILE:/var/lib/sss/keytabs/win.trust.test.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 IPA$@WIN.TRUST.TEST 1 IPA$@WIN.TRUST.TEST 1 IPA$@WIN.TRUST.TEST # kinit -kt /var/lib/sss/keytabs/win.trust.test.keytab 'IPA$@WIN.TRUST.TEST' # klist Ticket cache: KEYRING:persistent:0:0 Default principal: IPA$@WIN.TRUST.TEST Valid starting Expires Service principal 08/12/2016 09:25:07 08/12/2016 19:25:07 krbtgt/win.trust.t...@win.trust.test renew until 08/13/2016 09:25:07 # ldapsearch -Y GSSAPI -H ldap://dc.win.trust.test -b CN=Administrator,CN=Users,DC=win,DC=trust,DC=test -s base tokengroups SASL/GSSAPI authentication started SASL username: IPA$@WIN.TRUST.TEST SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <CN=Administrator,CN=Users,DC=win,DC=trust,DC=test> with scope baseObject # filter: (objectclass=*) # requesting: tokengroups # # Administrator, Users, win.trust.test dn: CN=Administrator,CN=Users,DC=win,DC=trust,DC=test tokenGroups:: AQIAAAAAAAUgAAAAIQIAAA== tokenGroups:: AQIAAAAAAAUgAAAAIAIAAA== tokenGroups:: AQUAAAAAAAUVAAAA7MyrD9WWJf4D7yaHTgQAAA== tokenGroups:: AQUAAAAAAAUVAAAA7MyrD9WWJf4D7yaHPAIAAA== tokenGroups:: AQUAAAAAAAUVAAAA7MyrD9WWJf4D7yaHBgIAAA== tokenGroups:: AQUAAAAAAAUVAAAA7MyrD9WWJf4D7yaHBwIAAA== tokenGroups:: AQUAAAAAAAUVAAAA7MyrD9WWJf4D7yaHCAIAAA== tokenGroups:: AQUAAAAAAAUVAAAA7MyrD9WWJf4D7yaHMAwAAA== tokenGroups:: AQUAAAAAAAUVAAAA7MyrD9WWJf4D7yaHAQIAAA== tokenGroups:: AQUAAAAAAAUVAAAA7MyrD9WWJf4D7yaHAAIAAA== # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project