Alexander Bokovoy wrote: > On Срд, 04 сне 2024, Aleksandr Sabirov via FreeIPA-users wrote: > > Rob Crittenden wrote: > > Aleksandr Sabirov via FreeIPA-users wrote: > > Alexander Bokovoy wrote: > > On Аўт, 03 сне 2024, Aleksandr Sabirov via FreeIPA-users wrote: > > Alexander Bokovoy wrote: > > On Аўт, 03 сне 2024, Aleksandr Sabirov via FreeIPA-users wrote: > > Alexander Bokovoy wrote: > > On Пят, 29 ліс 2024, Aleksandr Sabirov via FreeIPA-users wrote: > > I need a Linux client (using SSSD), joined to an AD domain, to be able to > > authenticate to IPA users through trust relationships. This is not > > possible, am I correct? > > So the scheme is: > > Linux AD client -> AD <-> IPA > > If that Linux client is enrolled into AD domain, it will be talking to > > AD DC, as I said, and then will be talking to IPA DC. This is only for > > authentication; identities will have to be fetched from AD DCs and they > > will not have that information because they couldn't retrieve it from > > IPA DCs. > > Sorry for spamming, but I would like to know. This is important information > > for me. > > I answered your questions already. Sorry, I don't have time right now to > > respond more on this beyond what is already said. > > How then does a Windows 10 client located in MS AD successfully obtain > > FreeIPA trusted domain information and successfully launch a user's IPA > > session? > > https://www.freeipa.org/page/Windows_authentication_against_FreeIPA#id1: > > .... > > Note also that the described configuration is not supported by FreeIPA > > development team and also is not supported by Red Hat Enterprise Linux > > Identity Management product. A work on making possible to login to > > Windows machines already enrolled into a trusted Active Directory > > forest is ongoing and is not available yet in any released FreeIPA > > version. > > .... > > This is not a supported setup and we have no time to look into it at the > > moment. > > So Windows AD client also can't log in under IdM accounts via trust > > relationships? > > Sorry for my redundancy. > > I mean > > IdM <-> AD <- Windows 10 > > Have you read the documentation? > > https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html-sin... > > rob > > Yes, I have read it. But everything there is described in "abstract terms." > > I want to know the specific names of the mechanisms that make it work that > > way. > > What do Windows AD clients have that Linux clients don't, since Windows > > can obtain users through trust relationships, but Linux cannot. -- > > Windows clients talk to AD DCs using DCE RPC calls and delegate to AD > DCs to talk to trusted domains' domain controllers. SSSD does not use > DCE RPC calls like Windows does. It only talks over LDAP to AD DCs and > uses Kerberos for authentication. In addition, SSSD AD provider does not > support for an IPA domain being a subdomain of a AD domain. This means > it cannot switch LDAP schema to IPA one when talking to IPA DC, even > when it could reach IPA DC and could authenticate to it (over two-way > trust). > If you need to know about Active Directory stuff, you can start with > MS-ADOD[1] and MS-AUTHOD[2] overview documents. > [1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adod > [2] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-authsod Is there any sort of roadmap for specific possible improvements (including the names of the technologies, etc.)? If not, could you perhaps find the time to provide a detailed description of what needs to be improved, where, and roughly how (with the names of the specific services, of course)? I want to assess the resources and possibilities for contributing this functionality later on.
Is there perhaps a connection scheme that needs to be implemented (similar to the ones in the official documentation)? They have diagrams for a Windows client with AD and a Linux client with IdM. Is there a diagram for a Linux client with AD? thx. -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
