mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
6332cb3125
For configuration where:
- AD example.com trusts IPA at ipa.example.com
- AD example.org trusts AD example.com
- a trust is tried to be established between ipa.example.com and
example.org,
there will be a trust topology conflict detected by example.org domain
controller because ipa.example.com DNS namespace overlaps with
example.com DNS namespace.
This type of trust topology conflict is documented in MS-ADTS 6.1.6.9.3.2
"Building Well-Formed msDS-TrustForestTrustInfo Message". A similar
conflict can arise for SID and NetBIOS namespaces. However, unlike SID
and NetBIOS namespaces, we can solve DNS namespace conflict
automatically if there are administrative credentials for example.org
available.
A manual sequence to solve the DNS namespace conflict is described in
https://msdn.microsoft.com/it-it/library/cc786254%28v=ws.10%29.aspx.
This sequence boils down to the following steps:
1. As an administrator of the example.org, you need to add an
exclusion entry for ipa.example.com in the properties of the trust to
example.com
2. Establish trust between ipa.example.com and example.org
It is important to add the exclusion entry before step 4 or there will
be conflict recorded which cannot be cleared easily right now due to a
combination of bugs in both IPA and Active Directory.
This patchset implements automated solution for the case when we have
access to the example.org's administrator credentials:
1. Attempt to establish trust and update trust topology information.
2. If trust topology conflict is detected as result of (1):
2.1. Fetch trust topology infromation for the conflicting forest
trust
2.2. Add exclusion entry to our domain to the trust topology obtained
in (2.1)
2.3. Update trust topology for the conflicting forest trust
3. Re-establish trust between ipa.example.com and example.org
We cannot do the same for shared secret trust and for external trust,
though:
1. For shared secret trust we don't have administrative credentials
in the forest reporting the conflict
2. For the external trust we cannot set topology information due to
MS-LSAD 3.1.4.7.16 because external trust is non-transitive by
definition and thus setting topology information will fail.
To test this logic one can use two Samba AD forests with FreeIPA
using a sub-domain of one of them.
Fixes: https://fedorahosted.org/freeipa/ticket/6076
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
||
|---|---|---|
| asn1 | ||
| checks | ||
| client | ||
| contrib | ||
| daemons | ||
| doc | ||
| init | ||
| install | ||
| ipaclient | ||
| ipalib | ||
| ipaplatform | ||
| ipapython | ||
| ipaserver | ||
| ipatests | ||
| util | ||
| .gitignore | ||
| .mailmap | ||
| ACI.txt | ||
| API.txt | ||
| autogen.sh | ||
| BUILD.txt | ||
| Contributors.txt | ||
| COPYING | ||
| COPYING.openssl | ||
| freeipa.spec.in | ||
| ipa | ||
| ipa.1 | ||
| lite-server.py | ||
| make-doc | ||
| make-test | ||
| makeaci | ||
| makeapi | ||
| Makefile | ||
| MANIFEST.in | ||
| pylint_plugins.py | ||
| pylintrc | ||
| pytest.ini | ||
| README | ||
| setup.py | ||
| VERSION | ||
| version.m4.in | ||
| zanata.xml | ||
IPA Server
Overview
--------
FreeIPA allows Linux administrators to centrally manage identity,
authentication and access control aspects of Linux and UNIX systems
by providing simple to install and use command line and web based
managment tools.
FreeIPA is built on top of well known Open Source components and standard
protocols with a very strong focus on ease of management and automation
of installation and configuration tasks.
FreeIPA can seamlessly integrate into an Active Directory environment via
cross-realm Kerberos trust or user synchronization.
Benefits
--------
FreeIPA:
* Allows all your users to access all the machines with the same credentials
and security settings
* Allows users to access personal files transparently from any machine in
an authenticated and secure way
* Uses an advanced grouping mechanism to restrict network access to services
and files only to specific users
* Allows central management of security mechanisms like passwords,
SSH Public Keys, SUDO rules, Keytabs, Access Control Rules
* Enables delegation of selected administrative tasks to other power users
* Integrates into Active Directory environments
Components
----------
The FreeIPA project provides unified installation and management
tools for the following components:
* LDAP Server - based on the 389 project (LDAP)
http://directory.fedoraproject.org/wiki/Main_Page
* KDC - based on MIT Kerberos implementation
http://k5wiki.kerberos.org/wiki/Main_Page
* PKI based on Dogtag project
http://pki.fedoraproject.org/wiki/PKI_Main_Page
* Samba libraries for Active Directory integration
http://www.samba.org/
* DNS Server based on BIND and the Bind-DynDB-LDAP plugin
https://www.isc.org/software/bind
https://fedorahosted.org/bind-dyndb-ldap
Project Website
---------------
Releases, announcements and other information can be found on the IPA
server project page at <http://www.freeipa.org/>.
Documentation
-------------
The most up-to-date documentation can be found at
<http://freeipa.org/page/Documentation>.
Quick Start
-----------
To get started quickly, start here:
<http://www.freeipa.org/page/Quick_Start_Guide>
Licensing
---------
Please see the file called COPYING.
Contacts
--------
* If you want to be informed about new code releases, bug fixes,
security fixes, general news and information about the IPA server
subscribe to the freeipa-announce mailing list at
<https://www.redhat.com/mailman/listinfo/freeipa-interest/>.
* If you have a bug report please submit it at:
<https://bugzilla.redhat.com>
* If you want to participate in actively developing IPA please
subscribe to the freeipa-devel mailing list at
<https://www.redhat.com/mailman/listinfo/freeipa-devel/> or join
us in IRC at irc://irc.freenode.net/freeipa