On 25.8.2015 16:08, Alexander Bokovoy wrote: > On Tue, 25 Aug 2015, Simo Sorce wrote: >> On Tue, 2015-08-25 at 15:19 +0200, Petr Spacek wrote: >>> On 1.8.2015 21:19, John Stein wrote: >>> > Hi, >>> > >>> > Thanks for the reply. Any Idea when will the GSSAPI-updating bug fix get >>> > to >>> > RHEL 7? >>> >>> You can watch the progress here: >>> https://bugzilla.redhat.com/show_bug.cgi?id=1214827 >>> >>> Unfortunately fixing this bug will not be sufficient for your particular >>> scenario. FreeIPA does not allow ordinary host/ principals used by client >>> machines (not to be confused with FreeIPA servers) to get tickets for AD >>> Kerberos realms. >>> >>> It effectively means that nsupdate will properly detect the AD realm and >>> generate correct request but the request will be refused because the client >>> will not be able to get ticket. >>> >>> I.e. you will have to resort to manual PTR record update OR convince >>> Alexander/Simo that allowing host/ principals from FreeIPA realm to get >>> tickets for AD realm is not a security issue :-) >> >> There is no security issue per se, host/ principals can get tickets just >> fine but we do not attach a PAC here, and AD may refuse to operate w/o a >> MS-PAC. Please open a RFE if this is breaking operations. We'll need to >> decide how to assign a SID to hosts but that's the only "security" issue >> that needs to be solved.
Here it is: https://fedorahosted.org/freeipa/ticket/5260 > For one-way trust you'll be unable to get the ticket at all as there is > no cross-forest TGT on our side to issue. And this is a default > configuration in FreeIPA 4.2. You will have to have bi-directional trust > to get GSSAPI authentication in nsupdate working at all against a > trusted forest. Understood, that is the price users have to pay for using one-way trust. Still, I think that we should support this use case if user is willing to use bi-directional trust. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
