On pe, 26 loka 2018, Winfried de Heiden wrote:
Hi all,
Refering to this bit of older post,
What now the difference between a One-way or Two-Way Trust anyway....? The docs are not
too clear abut it:
" Two-way trust enables AD users and groups to access resources in IdM.
However, the two-way trust in IdM does not give the users any additional
rights compared to the one-way trust solution in AD. Both solutions are
considered equally secure because of default cross-forest trust SID
filtering settings"
What a use-case for using a Two-Way Trust? (since Windows cannot use
IPA as a AD replacement)
Originally we implemented two-way trust first because it
was easier to
do than one-way trust from technical perspective. It allowed machines
from IPA domain to directly query AD DCs about needed information using
their own host/... Kerberos principals for authentication purposes.
However, a lot of customers were concerned with with AD trusting IPA
because it wasn't how AD domain controllers resolved identities (and ran
authentication proxying) over trust. We implemented one-way trust with a
proper setup and actually moved to always use the credentials
one-way-like in two-way trust too with FreeIPA 4.6/latest SSSD
1.15/1.16.
However, there is one missing part for a one-way trust: a one-way trust
with a shared secret. If you are using a shared secret that is provided
to you by AD admins (as opposed to be generated by 'ipa trust-add'
automatically), one-way trust cannot be established. A long story short,
both FreeIPA and SSSD lacked required logic to allow Windows to
perform validation of the trust in this case from a Windows UI and we
couldn't initiate the validation from IPA side as we didn't have
administrative credentials to AD DCs.
So right now two-way trust with a shared secret is your solution for
this case, although I'd rather suggest to establish a normal one-way
trust with AD admin credentials to get a stronger trust secret generated
for you by 'ipa trust-add'.
Winfried
-----Oorspronkelijk bericht-----
Van: Alexander Bokovoy via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
Antwoord-naar: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Aan: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Cc: Michal Sladek <michal(a)sladkovi.eu>, Alexander Bokovoy
<abokovoy(a)redhat.com>
Onderwerp: [Freeipa-users] Re: Is IPA-AD two-way trust really two-way?
Datum: Thu, 23 Aug 2018 12:08:17 +0300
On to, 23 elo 2018, Michal Sladek via FreeIPA-users wrote:
Hello,
I would like to use IPA server in heterogeneous environment with Linux servers and Windows
workstations.IPA domain would be used as a primary source of users and groups.AD domain
would be used for management of Widows hosts only (group policies etc.).
I have setup a test network with two-trust between AD and IPA domainand realized, that IPA
domain sees AD users but AD domain doesn't seeIPA users. Am I missing something or the
two-way trust is not two-wayin fact?It is two-way in principle. However, FreeIPA does not
implement featuresrequired by AD DC to resolve IPA users on Windows workstations. It is
onour long term roadmap.
-- / Alexander BokovoySr. Principal Software EngineerSecurity / Identity Management
EngineeringRed Hat Limited,
Finland_______________________________________________FreeIPA-users mailing list --
freeipa-users(a)lists.fedorahosted.orgTo unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.orgFedora Code of Conduct:
https://getfedora.org/code-of-conduct.htmlList Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelinesList Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland