hi guys
I wonder if it is(would be) possible to have IPA join AD but so IPA admin only asks AD admin(s) to do whatever is required and then s/he does IPA end? And a reason you would do that is - domains are formally(and in other ways) separate that AD admin would have to keep secret and not share any of those AD credentials you would normally use in IPA to add such a trust.
many thanks, L.
On 05/03/18 18:01, lejeczek via FreeIPA-users wrote:
hi guys
I wonder if it is(would be) possible to have IPA join AD but so IPA admin only asks AD admin(s) to do whatever is required and then s/he does IPA end? And a reason you would do that is - domains are formally(and in other ways) separate that AD admin would have to keep secret and not share any of those AD credentials you would normally use in IPA to add such a trust.
many thanks, L. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
I'm reading what I wrote - poor choice of word, not "join" obviously but "trust" instead.
On 05/03/2018 19:01, lejeczek via FreeIPA-users wrote:
hi guys
I wonder if it is(would be) possible to have IPA join AD but so IPA admin only asks AD admin(s) to do whatever is required and then s/he does IPA end? And a reason you would do that is - domains are formally(and in other ways) separate that AD admin would have to keep secret and not share any of those AD credentials you would normally use in IPA to add such a trust.
many thanks, L. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hi,
it is possible to use a shared secret instead of the AD admin credentials when establishing the trust: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
Does this address your concern? Flo
On 06/03/18 07:28, Florence Blanc-Renaud wrote:
On 05/03/2018 19:01, lejeczek via FreeIPA-users wrote:
hi guys
I wonder if it is(would be) possible to have IPA join AD but so IPA admin only asks AD admin(s) to do whatever is required and then s/he does IPA end? And a reason you would do that is - domains are formally(and in other ways) separate that AD admin would have to keep secret and not share any of those AD credentials you would normally use in IPA to add such a trust.
many thanks, L. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hi,
it is possible to use a shared secret instead of the AD admin credentials when establishing the trust: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
Does this address your concern? Flo
That might be exactly it! I'm trying "one way" and while the command succeeded I saw this: ... Domain Security Identifier: S-1-5-21-3110176660-1847390102-3050341588 SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 Trust direction: Trusting forest Trust type: Active Directory domain Trust status: Waiting for confirmation by remote side gidnumber: 1416100000 ipantsecurityidentifier: S-1-5-21-690266907-396463273-2110627865-1004 ipantsupportedencryptiontypes: 28 ipanttrustdirection: 1 ...
Now I'm trying to ssh to IPA as:
$ ssh adm@ad.priv.dom.local@10.1.1.1
but this fails as if the password was incorrect, which naturally is not true. Is the problem "one way" trust?
many thanks, L.
On ti, 06 maalis 2018, lejeczek via FreeIPA-users wrote:
On 06/03/18 07:28, Florence Blanc-Renaud wrote:
On 05/03/2018 19:01, lejeczek via FreeIPA-users wrote:
hi guys
I wonder if it is(would be) possible to have IPA join AD but so IPA admin only asks AD admin(s) to do whatever is required and then s/he does IPA end? And a reason you would do that is - domains are formally(and in other ways) separate that AD admin would have to keep secret and not share any of those AD credentials you would normally use in IPA to add such a trust.
many thanks, L. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hi,
it is possible to use a shared secret instead of the AD admin credentials when establishing the trust: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
Does this address your concern? Flo
That might be exactly it! I'm trying "one way" and while the command succeeded I saw this: ... Domain Security Identifier: S-1-5-21-3110176660-1847390102-3050341588 SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 Trust direction: Trusting forest Trust type: Active Directory domain Trust status: Waiting for confirmation by remote side gidnumber: 1416100000 ipantsecurityidentifier: S-1-5-21-690266907-396463273-2110627865-1004 ipantsupportedencryptiontypes: 28 ipanttrustdirection: 1 ...
Now I'm trying to ssh to IPA as:
$ ssh adm@ad.priv.dom.local@10.1.1.1
but this fails as if the password was incorrect, which naturally is not true. Is the problem "one way" trust?
One-way trust with a shared secret is not working currently. Either use two-way trust with a shared secret or use admin credentials.
If you are interested in the details, just search mailing archives.
On 06/03/18 11:13, Alexander Bokovoy wrote:
On ti, 06 maalis 2018, lejeczek via FreeIPA-users wrote:
On 06/03/18 07:28, Florence Blanc-Renaud wrote:
On 05/03/2018 19:01, lejeczek via FreeIPA-users wrote:
hi guys
I wonder if it is(would be) possible to have IPA join AD but so IPA admin only asks AD admin(s) to do whatever is required and then s/he does IPA end? And a reason you would do that is - domains are formally(and in other ways) separate that AD admin would have to keep secret and not share any of those AD credentials you would normally use in IPA to add such a trust.
many thanks, L. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hi,
it is possible to use a shared secret instead of the AD admin credentials when establishing the trust: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
Does this address your concern? Flo
That might be exactly it! I'm trying "one way" and while the command succeeded I saw this: ... Domain Security Identifier: S-1-5-21-3110176660-1847390102-3050341588 SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 Trust direction: Trusting forest Trust type: Active Directory domain Trust status: Waiting for confirmation by remote side gidnumber: 1416100000 ipantsecurityidentifier: S-1-5-21-690266907-396463273-2110627865-1004 ipantsupportedencryptiontypes: 28 ipanttrustdirection: 1 ...
Now I'm trying to ssh to IPA as:
$ ssh adm@ad.priv.dom.local@10.1.1.1
but this fails as if the password was incorrect, which naturally is not true. Is the problem "one way" trust?
One-way trust with a shared secret is not working currently. Either use two-way trust with a shared secret or use admin credentials.
If you are interested in the details, just search mailing archives.
Oogh, gee, if you guys could make one-way work... I could not stress it enough... f a n t a s t i c that would be.
b.w. L.
freeipa-users@lists.fedorahosted.org