On la, 26 elo 2017, Sigbjorn Lie-Soland via FreeIPA-users wrote:
Hi list,
I have an issue with an AD one-way trust to IPA, where the AD is
configured with a very specific set of ACL's on the various OUs where
the user accounts live. Authenticated Users cannot search for all users
in the AD LDAP directory. This is done as the AD is hosting a
multi-tenant environment, and there exists a requirement for different
customers accounts not to be visible by everyone.
The issue for IPA is when SSSD is attempting to look up the users
details in AD via LDAP, using it's trust account
(cn=IPADOM$,cn=Users,dc=ad,dc=local). This trust account does not have
the required permissions to search for all the users in the AD LDAP
tree, the AD user is not found by SSSD, and is denied logon access.
As the IPADOM$ account is a special trust account, it is not possible to
add this account to the AD group which is normally used to grant access
to service accounts to read the entire AD LDAP directory.
It is possible to do that
with Samba's net utility.
Last year I wrote this solution for Red Hat Customer Portal:
https://access.redhat.com/solutions/2536681
Effectively, it has to be done this way:
# net rpc group add trust-read-only -S w12.ad.test -UAdministrator%PASSWORD
# net rpc group addmem trust-read-only 'IPAAD$' -S w12.ad.test
-UAdministrator%PASSWORD
--
/ Alexander Bokovoy