On Пят, 28 сак 2025, Jostein Fossheim wrote:
Welcome to Windows Security Tab world. ;)
As I said before:
from Windows machines because their UI calls into some DCE RPC APIs we
do not support on IPA side. They also try to call into Global Catalog
and the primary LDAP instances while expecting those to have AD LDAP
schema and DIT structure. IPA is not supporting those so no wonder
things fail.
Windows implementation is inconsistent with regards to the ways how user
search and resolving is done, for various reasons we can only guess
about.
See, for example, our talk at SambaXP'20:
https://talks.vda.li/talks/2020/sxp20-d2t2-1-bokovoy-blancrenaud-FreeIPA-Catalog.pdf
One last comment and two last question, before I put this AD-trust
adventure to sleep.
Comment: You really should implement Global Catalog support, and let
AD talk to IPA, even though I understand that the work is hard. But I
would assume that samba has it implemented already, and that
samba-code base could be reused for IPA? There has to be wealthy
sponsors interested in getting this to work..
We have Global Catalog implemented as we thought it would be needed for
IPA-IPA trust. However, we also discovered it is not enough to have
Global Gatalog itself for Windows systems to resolve users/groups in
that 'Security Tab' UI, there are more things to be implemented. And we
now don't need Global Catalog implementation for IPA-IPA trust itself.
Question 1.: You wrote something about Global Catalog in last year's
progress report on IPA-to-IPA trust, is it on the agenda when you
release an ipa-to-ipa-trust capable version? Or have you abandoned
implementing Global Catalog in IPA altogether ?
The decision is not made yet. Adding Global Catalog would bring a
separate LDAP instance into the mix. It increases complexity of the
solution and makes it more fragile as well. We used to have a separate
LDAP instance for CA in past, that was a maintenance pain for
administrators. For CA we integrated it into IPA LDAP instance, with
Global Catalog that will not be possible (see
https://github.com/abbra/freeipa/blob/wip-ipa-ipa-trust/doc/designs/adtrust/gc-design.md
for some WIP details).
Question 2.: Getting more activity involved in IPA-development (at
least testing and feedback), where do we start?
Always welcome!
Please report bugs, if any, at https://pagure.io/freeipa/issues.
If you want to contribute, please pick up existing issues in the tracker
and if possible, create fixes for them. There are few marked with
'easyfix'.
https://www.freeipa.org/page/Contribute has more details on contribution
guidelines.
--
Vennlig Hilsen
Jostein Fossheim
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
