On to, 23 huhti 2020, Natxo Asenjo via FreeIPA-users wrote:
On Thu, Apr 23, 2020 at 8:47 AM Alexander Bokovoy
<abokovoy(a)redhat.com>
wrote:
>
> Domain local groups are not visible through the forest trust, so they
> cannot
> be used in FreeIPA for access control means.
>
> Global groups can be used if they are security groups and not just
> distribution groups.
>
>
aha, thanks for this piece of information, I could not find it on the
documentation (which is probably my entire fault ;-) ).
Is this the reason why?
https://docs.microsoft.com/en-us/windows/win32/ad/group-objects
In that document, in the scope part:
group scope group can be assigned
permission in
----------------
-------------------------------------------------
universal any domain or forest
global Member permissions can be
assigned in any domain
domain local Member permissions can be
assigned only within the same domain as the parent domain local group
Is this the technical reason the Idm trusting forest cannot see the domain
local groups? So we require global or universal groups?
I need to justify some stuff to our AD people, that's why I ask ;-)
It is covered in Microsoft documentation for Active Directory protocols.
MS-AUTHSOD 1.1.1.4.1:
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-authsod/5...
MS-KILE 3.3.5.7.3:
https://docs.microsoft.com/en-us/openspecs/windows_protocols/MS-KILE/e55a...
MS-PAC 4.1.2.1:
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pac/6dd1b...
So *any* service ticket towards a service outside of the user's domain
will not have domain local groups in the PAC record, when issued by AD
DC. As a result, when SSSD on IPA client would be analyzing the PAC
record from user's Kerberos ticket, it will not have any domain local
groups mentioned there and they cannot be used to define access rights
outside of the domain.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland