On 2025-03-27 08:48, Alexander Bokovoy wrote:
Resolving IPA users on Windows machines is not supported and is not in
the scope of trust to Active Directory feature.
hmm... What exactly would it needed to achieve this ? Global Cataloge
support? I assume it would be much sought after use-case. In our setup,
our windows-servers and clients, are just a few lonely islands.
https://www.server-world.info/en/note?os=AlmaLinux_9&p=freeipa&f=8
I know that full windows-logon won’t work. But I had hopes that file
services in question would. If manual user-mapping (via ksetup or
something similar, that can make windows-logon with kerberos
credentials work) is possible that would suffice as well.
See note at this page:
https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/using_external_red_hat_utilities_with_identity_management/setting-up-samba-on-an-idm-domain-member_using-external-red-hat-utilities-with-idm#setting-up-samba-on-an-idm-domain-member_using-external-red-hat-utilities-with-idm
Yes, we have several samba-servers in our production IPA-environment
already using this configuration. We have been running similar setups
for 10 years + with native samba and MIT-kerberos setups in other
environments. The goal here was to try to integrate a native windows
file server into the environment.
We have also done ID-mapping via ksetup to make Windows Terminal Servers
accept kerberos (username/passwords), with manual (to local) identity
mapping, and sync users/groups (whitout passwords/etc) via simple
scripts. This approach could be acceptable, if it was possible to issue
(and on the windows side install) a service principal for either
TERMSRV/CIFS, but I have not found way to do this. If anyone else hva
input on how to achieve this (or a firm confirmation that it is
impossible), it would be greatly appreciated.
And how about samba, does anyone know, if such a setup would work
there? That is: A samba AD populated with the real users and groups,
and a Microsoft Server running it’s own AD trusting the samba realm,
but not the other way around? (yes I know that the server could join
the samba domain instead, but this is not the point in this
lab-excersise).
Samba AD implements most of AD DC compatibility, so it would work.
https://wiki.samba.org/index.php/Active_Directory_Trusts
I read somewhere that there was a two-way only limitation in samba, it
seems like its still there.
Is there any information about the work on IPA-to-IPA trust? I read
with great enjoyment lasts year’s progress report on this:
https://vda.li/posts/2024/05/31/ipa-ipa-trust-progress/
You can watch our talk at FOSDEM 2025:
https://fosdem.org/2025/schedule/event/fosdem-2025-5178-building-cross-domain-trust-between-freeipa-deployments/
Thank you, a joy to watch, I will look into the demo-resources you
mention in the talk and start play around with them. After we have
exhausted our current AD-trust playground.
Is a one-way trust-relationship in the scope as well ? Since I often
find this the most needed use-case. I guess it won't matter that, much,
since I can set up almost whichever rights I want to for the trusted
domain, and a trust-relationship dosen't mean that privileges follows
automatically
--
Vennlig Hilsen
Jostein Fossheim
Daglig Leder
Skyfritt AS
TLF: +47 40 86 10 77
https://www.skyfritt.net
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
