Hi everyone,
first post, hope the question is not too dumb and this is the right list.
I’m trying to use IPA in the way the RHEL Windows Integration Guide describes it in the one-way-trust setup (indirect integration, using AD for auth, IPA for policies). However, I’m hitting a wall since at one point you have to provide AD Admin credentials (setting up the agreement) which I don’t have/won’t have.
Question: Are there other ways to get the (almost) same result w/o having admin access to AD?
* Some 2 years back Dmitri Dal made a comment here which seems to point into that direction https://pagure.io/freeipa/issue/4546 but I wasn’t able to find anything in the official documentation or elsewhere and that issue has been closed as fixed.
As of now I only see recreating all the users/groups from AD in IPA w/o any connectivity in between as one option, which would be ok but not very elegant and users have to deal with another password.
Is it possible to use SSSD with AD as auth/idprovider and IPA for policies (something like shown in the modern integration option image here but with policies fetched from IPA: http://rhelblog.redhat.com/2015/02/04/overview-of-direct-integration-options...
thanks,
jgeo
On ma, 10 heinä 2017, None via FreeIPA-users wrote:
Hi everyone,
first post, hope the question is not too dumb and this is the right list.
I’m trying to use IPA in the way the RHEL Windows Integration Guide describes it in the one-way-trust setup (indirect integration, using AD for auth, IPA for policies). However, I’m hitting a wall since at one point you have to provide AD Admin credentials (setting up the agreement) which I don’t have/won’t have.
To establish cross-forest trust, you have to be a member of Domain Admins group of a forest root domain in AD or a member of an Enterprise Admins group in the forest. There is no other way.
Question: Are there other ways to get the (almost) same result w/o having admin access to AD?
- Some 2 years back Dmitri Dal made a comment here which seems to point into that direction https://pagure.io/freeipa/issue/4546 but I wasn’t able to find anything in the official documentation or elsewhere and that issue has been closed as fixed.
No, Dmitri was wrong in his first comment. What the ticket #4546 describes is a real one-way cross-forest trust like AD expects it.
As of now I only see recreating all the users/groups from AD in IPA w/o any connectivity in between as one option, which would be ok but not very elegant and users have to deal with another password.
Is it possible to use SSSD with AD as auth/idprovider and IPA for policies (something like shown in the modern integration option image here but with policies fetched from IPA: http://rhelblog.redhat.com/2015/02/04/overview-of-direct-integration-options...
If you have no credentials to establish cross-forest trust, you are not dealing with the cross-forest trust and thus everything about trust from RHEL Windows Integration Guide does not apply there. Yes, you can take on a journey to hack up something based on direct integration but this is not going to be supported in FreeIPA.
Hi Joerg,
Question: Are there other ways to get the (almost) same result w/o having admin access to AD?
No.
You will need to either:
1. Have your AD admins enter their domain admin password for you when you're running the ipa trust-add command
2. Have your AD admins give you a one time password to be used for this purpose.
I will note for option two, there was a bug in the past that prevented this from working with one-way trusts. The commands would complete however authentication and enumeration would never work.
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
erricg@gmail.com -
joerg.georgi@bt.com