On ma, 16 tammi 2023, Ronald Wimmer via FreeIPA-users wrote:
On 16.01.23 20:16, Alexander Bokovoy via FreeIPA-users wrote:
>On ma, 16 tammi 2023, Ronald Wimmer via FreeIPA-users wrote:
>>
>>
>>On 16.01.23 15:48, Alexander Bokovoy via FreeIPA-users wrote:
>>>On ma, 16 tammi 2023, Ronald Wimmer via FreeIPA-users wrote:
>>>>I have a setup where we have four IPA servers. Two of them are
>>>>able to talk to the AD Domain Controllers directly. I set them
>>>>up as AD Trust controllers.
>>>>
>>>>The other two IPA servers can only talk to these IPA servers
>>>>and not to the AD DCs directly. Thats why I wanted them to
>>>>have the Trust Agent Role only.
>>>
>>>Trust Agent also should be able to talk to AD DCs. If those servers
>>>cannot talk to AD DCs, they cannot be trust agents.
>>
>>So it seems that I have misunderstood how trust agents can be
>>used. I thought AD communication is only done on trust controllers
>>whereas trust agents are some kind of proxies.
>
>They aren't proxies but since they don't run DC services expected by
>Active Directory domain controllers, they cannot be contacted by AD DCs
>to perform normal LSA RPC calls. So they are agents in this sense: they
>cannot participate in DC to DC communication with Active Directory DCs.
>Identity resolution on agents is performed by SSSD which talks to LDAP
>services of AD DCs, not the other direction.
Thanks for clarifying that. But what's the benefit of using trust
agents then?
Just that: when trust is established and you don't need anything to act
from AD DC side, use of trust agents reduces an attack surface as no
Samba services would be running on that system.
What I tried to accomplish was putting two IPA servers in the same
firewall zone as the windows AD DCs. Another two IPA servers reside in
the same zone where potential IPA clients are. Clients should have
communicated only with the IPA servers within the same zone. (Of
course, IPA servers could have communicated amongst each other) - Am I
right that there is no possibility of realizing such a scenario?
(because clients always need to be able to talk to the AD DCs?)
There is no way to achieve that without IPA servers being able to talk
to AD DCs. You are right as well: clients must always be able to talk to
AD DCs for authentication, e.g. Kerberos. This part can be routed via
KDC proxy on IPA server side, though but IPA server itself has to have
direct access to AD DCs.
IPA trust agents need to talk LDAP and Kerberos to AD DCs, IPA clients
only need to talk Kerberos to AD DCs and LDAP/Kebreros to IPA servers.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland