On ma, 08 huhti 2019, D via FreeIPA-users wrote:
Hello,
We're currently evaluating FreeIPA for handling the linux side of idm,
with AD as the upstream provider.
At this time, it seems everything is working well, but SSH into both
ipa clients and servers as AD users does not. Sumit has provided a few
suggestions in the past which have been addressed.
The setup is stock with the following config:
- M$ AD 2016, FreeIPA 4.6.4, sssd 1.16.2-13, all el7.6
- Verified Two-way trust between IPA and AD
- AD domain is
splat.acme.com, IPA domain is
ipa.splat.acme.com
- All ipa-clients are on the
splat.acme.com domain, and all users are
username(a)splat.acme.com
- Only ipa-servers are on the
ipa.splat.acme.com domain.
- In our setup, UID == GID, not sure if that matters.
- In SSSD, under
ipa.splat.acme.com ldap_search_timeout and
krb5_auth_timeout have been increased.
With this setup (IPA clients are in a DNS
domain owned by AD), no single
sign-on as AD user will be possible from AD workstations to IPA clients.
This is by Active Directory design where an AD domain owns the DNS zone
named as the AD domain. One cannot punch holes or delegate Kerberos
authentication to resources located on the hosts in this DNS zone to any
other Kerberos realm (or other AD domain).
See
https://www.freeipa.org/page/V4/IPA_Client_in_Active_Directory_DNS_domain
for technical details. See
https://www.redhat.com/en/blog/i-really-cant-rename-my-hosts for higher
level and business-oriented overview of the problem and possible
solutions (to which SSO is not possible with Kerberos anyway).
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland