On ti, 11 touko 2021, Owen Vincent via FreeIPA-users wrote:
I wonder where does it try to perform this operation -- on AD side or on
IPA side.
This was on the AD side. Our AD Admin opened the TDO in the ADSI Editor and tried to
manually set the value of msDS-SupportedEncryptedTypes, which produced the error.
That’s part of what brought me here. I was fairly sure our problems had to do with the TDO
not having the correct encryption settings (which you have confirmed), but we have also
encountered problems setting them manually and I was hoping someone here had had similar
issues and maybe even found a solution for them.
I think it should work. This is basically AD permissions issue. If AD
DCs accept the creds, they'll do the checks and they should be allowing
Incoming Forest Trust Builders group according to the Microsoft's
documentation.
If I can’t figure anything else out, I will likely try this.
No, this does not work. I just tried and IPA$ user object does not have
write privileges to TDO:
[root@m1 ~]# kinit -kt /var/lib/sss/keytabs/ad.test.keytab
'IPA$(a)AD.TEST'
[root@m1 ~]# klist
Ticket cache: KCM:0
Default principal: IPA$(a)AD.TEST
Valid starting Expires Service principal
05/11/21 14:38:14 05/12/21 00:38:14 krbtgt/AD.TEST(a)AD.TEST
renew until 05/12/21 14:38:14
[root@m1 ~]# ldapmodify -Y GSSAPI -h dc.ad.test
SASL/GSSAPI authentication started
SASL username: IPA$(a)AD.TEST
SASL SSF: 256
SASL data security layer installed.
dn: CN=ipa.test,CN=System,DC=ad,DC=test
changetype: modify
replace: msDS-SupportedEncryptionTypes
msDS-SupportedEncryptionTypes: 0
modifying entry "CN=ipa.test,CN=System,DC=ad,DC=test"
ldap_modify: Insufficient access (50)
additional info: 00002098: SecErr: DSID-03150F9D, problem 4003 (INSUFF_ACCESS_RIGHTS),
data 0
I kind of assumed that would have been too easy. I wast just taking a guess as you said
there was no way to update the entry from IPA side without AD admin credentials “until the
trust was verified” which I interpreted to mean that once the trust was verified, it would
be possible to push the encryption settings to AD. I guess I was just being too hopeful.
I’ll update you once I have talked to the AD admin and tried some of the options we have
discussed.
Best,
Owen