On Mon, 13 Aug 2018, Hacker Sword via FreeIPA-users wrote:
Hi Alex,
>The documentation is only conflicting if you are using it in a
conflicting way.
> The choice of Kerberos library is important. Samba AD DC with MIT
Kerberos still is broken regarding trust to FreeIPA.
Pardon my ignorance, I am just going by the documentation as is w/ no prior
knowledge ... where in the documentation is that specified?
The two main documentation pages I see when googling "freeipa AD trust" are:
https://www.freeipa.org/page/Active_Directory_trust_setup
This is a generic 'setup a trust to Active Directory' page. Its content
was written and tested while using Active Directory implementation from
Microsoft.
https://www.freeipa.org/page/Windows_authentication_against_FreeIPA
>
1. If you do not have AD then use Samba 4 instead of it. As of Samba
4.3, Samba AD can establish cross-realm trusts. The feature is still
incomplete and lacks proper access controls but it can be configured to
trust FreeIPA.
This is a page contributed by users. As with any wiki, it may
contain
incomplete or incorrect information.
It has no caveats or warnings on how samba is to be
compiled/configured.
This older doc
https://www.freeipa.org/page/IPAv3_AD_trust#Samba does, but
is for IPaV3 (which I assumed was outdated).
This one is a general architecture page
for IPA itself, written at the
time when we started working on a trust to AD feature. Samba AD DC was
not ready at that point for any forest trust.
I thought Samba by default used Heimdal , but you warn that kerberos is the
broken implementation.
Things pretty much depend on your choice of distribution and
compile
options.
>The changes were pushed out with various Samba releases but I'd recommend
looking at Samba 4.7+ -- at least that has all bugs we knew about fixed in
Samba AD DC based on Heimdal
I am using samba 4.8.3 compiled from source , is it recommended to instead
use the Redhat RPM one (currently appears to be 4.7.1 )
I configured with
>./configure --enable-debug --enable-selftest --with-ads --with-systemd
--with-winbind
This would use embedded heimdal build, I believe.
The other confusing parts, at least to me, in regards to Samba setup ... do
you know a working configuration using the samba internal-dns , or do you
have to use the bind9 DLZ backend? Regardless of the kerberos , I still
think my preliminary issue is with DNS as I see the error.
> ipa: ERROR: Attempt to solve forest trust topology conflicts [Fri Aug 10
11:58:43.125865 2018] [:error] [pid 6169]
> ipa: ERROR: non-public: NTSTATUSError: (-1073741601, 'The specified
domain did not exist.')
This doesn't look related to DNS but rather to a
particular feature of a
forest trust where you are using overlapping names for any of 'NetBIOS
name', 'DNS domain name', or SIDs for domains from both forests.
I understand this is the FreeIPA forum , and you can't be responsible for
the documentation or limitations of Samba ... Its just YOUR documentation
does say you can use Samba ... is that just in theory or is there an actual
working case of it somewhere.
Our documentation does not say anything about that.
Wiki may have
mentions of some practical scenarios some users had success with.
FreeIPA release documentation is hosted at Red Hat's site, not on the
FreeIPA wiki.
Most ALL of the documentation I've seen seems very specific to "Windows
2008 DC" (or similar) , am I chasing a wild goose chase, or is there some
exact specific combination of how you configure Samba ( kerberos, DNS
backend, etc) that it will work with FreeIPA.
https://github.com/abbra/cockpit-app-samba-ad/blob/master/lib/samba-ad-se...
contains the actual sequence I'm using on Fedora 28 to automatically
configure Samba AD DC, where ${options.setup_type} is 'dc'.
Except for the bit of a generated krb5.conf config snippet, this should
work regardless which Kerberos option you did choose to use. The
kerberos bit is specific for MIT Kerberos because older Heimdal version
embedded in Samba does not support directory includes.
Without the patches I was talking about in this thread you would not be
able to establish trust from Samba side (e.g. using samba-tool).
Backing up to answer your basic question
> What is your use case, in the first place?
> You want to run Samba AD DC and establish a trust from it to FreeIPA?
Yes, I am trying to implement a SSO solution for log on accounts for both
windows10 clients and linux clients (and other web/Oauth services that
already integrate into freeipa)
It was my understanding, that the current/only way to do this was
1) Run Samba AD that has Users accounts
2) establish trust from freeipa -> Samba
Correct, with the replacement that it is
really about a compliant Active
Directory deployment that supports proper forest trust rather than Samba
AD DC specifically.
And Windows 10 clients should be of a version that actually supports
enrolling into Active Directory.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland