Thank you for the info Alexander, the blog post helped clear up some ambiguity. Makes
sense now.
I have no qualms about renaming the hosts to live under the ipa subdomain instead of the
main domain, and SSO is not required.
The idea is, SSH into linux boxes from arbitrary location using AD password, respecting
uid/gid/homedir listed in unixAttrs, and respecting AD group memberships. We like indirect
IPA integration instead of direct integration because of the centralized management
features and the trust views.
So, can I expect the configuration below to work properly if the clients were moved to
example.ipa.splat.acme.com, and if DNS for this subdomain were managed by the IPA
servers?
Thank you for your time,
D
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, April 8, 2019 11:49 AM, Alexander Bokovoy via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
On ma, 08 huhti 2019, D via FreeIPA-users wrote:
> Hello,
> We're currently evaluating FreeIPA for handling the linux side of idm,
> with AD as the upstream provider.
> At this time, it seems everything is working well, but SSH into both
> ipa clients and servers as AD users does not. Sumit has provided a few
> suggestions in the past which have been addressed.
> The setup is stock with the following config:
>
> - M$ AD 2016, FreeIPA 4.6.4, sssd 1.16.2-13, all el7.6
>
> - Verified Two-way trust between IPA and AD
>
> - AD domain is
splat.acme.com, IPA domain is
ipa.splat.acme.com
>
> - All ipa-clients are on the
splat.acme.com domain, and all users are
username(a)splat.acme.com
>
> - Only ipa-servers are on the
ipa.splat.acme.com domain.
>
> - In our setup, UID == GID, not sure if that matters.
>
> - In SSSD, under
ipa.splat.acme.com ldap_search_timeout and
> krb5_auth_timeout have been increased.
>
With this setup (IPA clients are in a DNS domain owned by AD), no single
sign-on as AD user will be possible from AD workstations to IPA clients.
This is by Active Directory design where an AD domain owns the DNS zone
named as the AD domain. One cannot punch holes or delegate Kerberos
authentication to resources located on the hosts in this DNS zone to any
other Kerberos realm (or other AD domain).
See
https://www.freeipa.org/page/V4/IPA_Client_in_Active_Directory_DNS_domain
for technical details. See
https://www.redhat.com/en/blog/i-really-cant-rename-my-hosts for higher
level and business-oriented overview of the problem and possible
solutions (to which SSO is not possible with Kerberos anyway).
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...