Hi all,
Thanks! This explains a lot, I'm happy :)
Winfried
Alexander Bokovoy via FreeIPA-users schreef op 26-10-2018 11:16:
> On pe, 26 loka 2018, Winfried de Heiden wrote:
>> Hi all,
>>
>> Refering to this bit of older post,
>>
>> What now the difference between a One-way or Two-Way Trust anyway....?
>> The docs are not too clear abut it:
>>
>> " Two-way trust enables AD users and groups to access resources in
>> IdM.
>> However, the two-way trust in IdM does not give the users any
>> additional
>> rights compared to the one-way trust solution in AD. Both solutions
>> are
>> considered equally secure because of default cross-forest trust SID
>> filtering settings"
>>
>> What a use-case for using a Two-Way Trust? (since Windows cannot use
>> IPA as a AD replacement)
> Originally we implemented two-way trust first because it was easier to
> do than one-way trust from technical perspective. It allowed machines
> from IPA domain to directly query AD DCs about needed information using
> their own host/... Kerberos principals for authentication purposes.
>
> However, a lot of customers were concerned with with AD trusting IPA
> because it wasn't how AD domain controllers resolved identities (and
> ran
> authentication proxying) over trust. We implemented one-way trust with
> a
> proper setup and actually moved to always use the credentials
> one-way-like in two-way trust too with FreeIPA 4.6/latest SSSD
> 1.15/1.16.
>
> However, there is one missing part for a one-way trust: a one-way trust
> with a shared secret. If you are using a shared secret that is provided
> to you by AD admins (as opposed to be generated by 'ipa trust-add'
> automatically), one-way trust cannot be established. A long story
> short,
> both FreeIPA and SSSD lacked required logic to allow Windows to
> perform validation of the trust in this case from a Windows UI and we
> couldn't initiate the validation from IPA side as we didn't have
> administrative credentials to AD DCs.
>
> So right now two-way trust with a shared secret is your solution for
> this case, although I'd rather suggest to establish a normal one-way
> trust with AD admin credentials to get a stronger trust secret
> generated
> for you by 'ipa trust-add'.
>
>
>
>>
>> Winfried
>>
>> -----Oorspronkelijk bericht-----
>> Van: Alexander Bokovoy via FreeIPA-users
>> <freeipa-users(a)lists.fedorahosted.org>
>> Antwoord-naar: FreeIPA users list
>> <freeipa-users(a)lists.fedorahosted.org>
>> Aan: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
>> Cc: Michal Sladek <michal(a)sladkovi.eu>, Alexander Bokovoy
>> <abokovoy(a)redhat.com>
>> Onderwerp: [Freeipa-users] Re: Is IPA-AD two-way trust really two-way?
>> Datum: Thu, 23 Aug 2018 12:08:17 +0300
>>
>> On to, 23 elo 2018, Michal Sladek via FreeIPA-users wrote:
>> Hello,
>> I would like to use IPA server in heterogeneous environment with Linux
>> servers and Windows workstations.IPA domain would be used as a primary
>> source of users and groups.AD domain would be used for management of
>> Widows hosts only (group policies etc.).
>> I have setup a test network with two-trust between AD and IPA
>> domainand realized, that IPA domain sees AD users but AD domain
>> doesn't seeIPA users. Am I missing something or the two-way trust is
>> not two-wayin fact?It is two-way in principle. However, FreeIPA does
>> not implement featuresrequired by AD DC to resolve IPA users on
>> Windows workstations. It is onour long term roadmap.
>> -- / Alexander BokovoySr. Principal Software EngineerSecurity /
>> Identity Management EngineeringRed Hat Limited,
>> Finland_______________________________________________FreeIPA-users
>> mailing list -- freeipa-users(a)lists.fedorahosted.orgTo unsubscribe
>> send an email to freeipa-users-leave(a)lists.fedorahosted.orgFedora Code
>> of Conduct:
https://getfedora.org/code-of-conduct.htmlList Guidelines:
>>
https://fedoraproject.org/wiki/Mailing_list_guidelinesList Archives:
>>
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
>>