On 08/26/2017 09:24 PM, Alexander Bokovoy via FreeIPA-users wrote:
On la, 26 elo 2017, Sigbjorn Lie-Soland via FreeIPA-users wrote:
> Hi list,
>
> I have an issue with an AD one-way trust to IPA, where the AD is
> configured with a very specific set of ACL's on the various OUs where
> the user accounts live. Authenticated Users cannot search for all users
> in the AD LDAP directory. This is done as the AD is hosting a
> multi-tenant environment, and there exists a requirement for different
> customers accounts not to be visible by everyone.
>
> The issue for IPA is when SSSD is attempting to look up the users
> details in AD via LDAP, using it's trust account
> (cn=IPADOM$,cn=Users,dc=ad,dc=local). This trust account does not have
> the required permissions to search for all the users in the AD LDAP
> tree, the AD user is not found by SSSD, and is denied logon access.
>
> As the IPADOM$ account is a special trust account, it is not possible to
> add this account to the AD group which is normally used to grant access
> to service accounts to read the entire AD LDAP directory.
It is possible to do that with Samba's net utility.
Last year I wrote this solution for Red Hat Customer Portal:
https://access.redhat.com/solutions/2536681
Effectively, it has to be done this way:
# net rpc group add trust-read-only -S w12.ad.test
-UAdministrator%PASSWORD
# net rpc group addmem trust-read-only 'IPAAD$' -S w12.ad.test
-UAdministrator%PASSWORD
Excellent!
Just tested in our lab, and it worked beautifully! :)
Thank you!
BTW, I did search the KB at
access.redhat.com, but I did not come across
this KB for some reason.
Regards,
Siggi