#4951 [RFE] Configure IPA to be a trust agent by default
Closed: Fixed None Opened 9 years ago by abbra.

FreeIPA supports trusted relationships with Active Directory via cross-forest trust. Currently all functionality to support trusted relationships with Active Directory must be present on every IPA master which controls IPA clients where access to AD users is desired. There is certain difference between uses of the IPA infrastructure which allow to reduce requirements towards IPA masters involved in providing trust features.

A trust controller is a FreeIPA master which runs following services:

  • LDAP server with sigden, extdom, and cldap plugins
  • KDC with IPA driver
  • Samba configured with ipasam PASSDB module
  • SSSD with ipa_server_mode=True
  • Global Catalog instance (a separate LDAP instance with an AD-compatible schema)

A trust agent is a FreeIPA master which runs following services

  • LDAP server with sigden and extdom plugins
  • KDC with IPA driver
  • SSSD with ipa_server_mode=True

Trust agent is a master that relies on SSSD to do resolution of IDs. Trust controller is used for managing trust: add trust agreements, enable/disable separate domains from a trusted forest to access FreeIPA resources, etc. Trust controller is also what Active Directory's domain controllers contact when validating the trust by means of SMB protocol using LSA calls which implies running a Samba server.

Following work needs to be done:

  • Change configuration of IPA master to be trust agent by default and ipa-adtrust-install to configure trust controller.
  • Existing cldap, extdom, and sidgen plugins will need to be updated to not fail or complain in the logs if no configuration exists for IPA side of the domain (domain SID, default groups, etc)
  • Packaging dependencies for FreeIPA need to change to allow Samba libraries to be installed by default but Samba daemons only pulled in with freeipa-server-trust-ad subpackage.

related to one way trust

Alexander's work (feel free to distribute further).

One-Way trust patch set was pushed, it fixes also this ticket.

master:[[BR]]
2dd5b46 trust: support retrieving POSIX IDs with one-way trust during trust-add[[BR]]
5025204 trusts: add ACIs to allow AD trust agents to fetch cross-realm keytabs[[BR]]
a9570e8 ipa-pwd-extop: expand error message to tell what user is not allowed to fetch keytab[[BR]]
d5aa1ee trusts: add support for one-way trust and switch to it by default[[BR]]
14992a0 ipa-adtrust-install: allow configuring of trust agents[[BR]]
aa21600 ipa-sidgen: reduce log level to normal if domain SID is not available[[BR]]
47e1de7 trusts: pass AD DC hostname if specified explicitly[[BR]]
03c2d76 ipa-adtrust-install: add IPA master host principal to adtrust agents[[BR]]
785f659 add one-way trust support to ipasam[[BR]]

Metadata Update from @abbra:
- Issue assigned to abbra
- Issue set to the milestone: FreeIPA 4.2

7 years ago

Login to comment on this ticket.

Metadata