> > We need to get host/ipa.master and HTTP/ipa.master principals to get >> > authenticated read only access to AD DC and LDAP servers. The problem > with granting this access in 'Selective authentication' case will > prevent the trust from working. > > Only the IPA servers are accessing AD DC? Or all the hosts (Clients) are also preforming query's on GC's LDAP, as you described in this older mail exchange :
https://www.redhat.com/archives/freeipa-users/2014-January/msg00181.html *"IPA needs to be able to look up users and groups in AD. To do so, it uses Kerberos authentication against AD's Global Catalog services with own credentials (per each IPA host). We are using cross-realm Kerberos trust here, AD DC trusts cross-realm TGT issued by IPA KDC and vice versa, so IPA hosts can bind as their own identity (host/...) to AD."* If the first case is true, then read only permission can be granted to IPA server's *only *(?), . If the second is true, there is no escape but to convince (somehow) the AD IT guys.
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
