On Чцв, 27 сак 2025, Jostein Fossheim wrote:
On 2025-03-27 08:48, Alexander Bokovoy wrote:
Resolving IPA users on Windows machines is not supported and is not in
the scope of trust to Active Directory feature.
hmm... What exactly would it needed to achieve this ? Global
Cataloge support? I assume it would be much sought after use-case.
In our setup, our windows-servers and clients, are just a few
lonely islands.
There are very few customers who are asking for the case. Amount of
work to achieve this, on other side, is huge, because there are so many
edge cases that people would expect to work... Some of them are
impossible to implement without making full protocol compatibility with
Active Directory.
https://www.server-world.info/en/note?os=AlmaLinux_9&p=freeipa&f=8
I know that full windows-logon won’t work. But I had hopes that file
services in question would. If manual user-mapping (via ksetup or
something similar, that can make windows-logon with kerberos
credentials work) is possible that would suffice as well.
See note at this page:
https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/using_external_red_hat_utilities_with_identity_management/setting-up-samba-on-an-idm-domain-member_using-external-red-hat-utilities-with-idm#setting-up-samba-on-an-idm-domain-member_using-external-red-hat-utilities-with-idm
Yes, we have several samba-servers in our production
IPA-environment already using this configuration. We have been
running similar setups for 10 years + with native samba and
MIT-kerberos setups in other environments. The goal here was to
try to integrate a native windows file server into the
environment.
We have also done ID-mapping via ksetup to make Windows Terminal
Servers accept kerberos (username/passwords), with manual (to
local) identity mapping, and sync users/groups (whitout
passwords/etc) via simple scripts. This approach could be
acceptable, if it was possible to issue (and on the windows side
install) a service principal for either TERMSRV/CIFS, but I have
not found way to do this. If anyone else hva input on how to
achieve this (or a firm confirmation that it is impossible), it
would be greatly appreciated.
ksetup and mapping will not help with MS-PAC enforcement required now.
And how about samba, does anyone know, if such a setup would work
there? That is: A samba AD populated with the real users and groups,
and a Microsoft Server running it’s own AD trusting the samba realm,
but not the other way around? (yes I know that the server could join
the samba domain instead, but this is not the point in this
lab-excersise).
Samba AD implements most of AD DC compatibility, so it would work.
https://wiki.samba.org/index.php/Active_Directory_Trusts
I read somewhere that there was a two-way only limitation in
samba, it seems like its still there.
Samba AD can do both one-way and bidirectional trust, there is no
problem in that. Bidirectional trust is the default in AD for in-forest
domain trusts as well.
Is a one-way trust-relationship in the scope as well ? Since I
often find this the most needed use-case. I guess it won't matter
that, much, since I can set up almost whichever rights I want to
for the trusted domain, and a trust-relationship dosen't mean that
privileges follows automatically
The tooling supports both one-way and bidirectional trust.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
