URL:
https://github.com/freeipa/freeipa/pull/2926
Author: abbra
Title: #2926: support shared secret trust established from Active Directory domain
controller side
Action: opened
PR body:
"""
FreeIPA does support trust to an Active Directory forest. The trust can be
established using administrative credentials from the forest root domain or
using a so-called shared secret. In the latter case no administrative access is
given to the remote side of the trust and each administrator performs their
configuration separately: FreeIPA administrator configures IPA side, Active
Directory administrator adds IPA forest as a trusted one on the Active
Directory side.
For trust to be active, one needs to validate it. Validation process includes a
sequences of DCE RPC calls that force a domain controller on the trusted side
to establish a so-called "secure channel" to a remote domain controller in the
trusting domain. This is an administrative operation and requires
administrative privileges to activate. If trust was established using a shared
secret, IPA side will lack ability to initiate a validation process.
At the same time, FreeIPA 4.6 or earlier versions do not include functionality
to allow a remote validation from Active Directory to happen before trust
objects are created and SSSD can retrieve information from the Active Directory
side. Unfortunately, the latter is not possible until trust is validated.
The purpose of this design is to extend FreeIPA setup to allow trust validation
to be initiated from Windows UI in case a shared secret is used to create a
trust agreement.
TODO: while this code is useful as it is, there is no way to force AD DC to pull forest
trust information from IPA DC side. This is due to the fact that Samba does not implement
a required RPC call in the mode used by IPA. We need to implement a command that would
allow pushing the forest trust topology from IPA side but this command requires
administrative privileges on AD side which makes the situation a bit weird for a
shared-secret trust.
A lack of forest trust topology update does not prevent resolving users through the trust
link. It only prevents single sign-on from Windows side to IPA resources using GSSAPI.
Password-based authentication works fine.
"""
To pull the PR as Git branch:
git remote add ghfreeipa
https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2926/head:pr2926
git checkout pr2926