Scénario #22613
Mis à jour par Daniel Dehennin il y a plus de 6 ans
Suite du hackathon
L'idée est de vérifier que l'on peut gérer plusieurs domaine AD (2 etab) avec un FreeIPA en aca
* Monter une maquette
* Vérifier que l'on peut se connecter depuis un PC Etab1 sur une ressource de l'Etab2 grâce à l'authentification FreeIpa
* faire un bilan / samba :
** GPO ?
** trusted resource ?
NB : Cela n'a sans doute pas d'intérêt dans le cadre de ce scénario mais on me dit que Cadoles a créolisé l'outil
* https://forge.cadoles.com/Cadoles/eole-freeipa
* https://forge.cadoles.com/Cadoles/eole-freeipa-client
Profiter de ce scénario pour rédiger le CR de l'atelier ;)
h3. Extrait de conversation IRC IRC:
> <nebuchadnezzar> As far as I understand the documentation, I found only scenarios where people have an AD
> and plug a FreeIPA to permit some Linux workstation to access AD resources. I would like to make the other way:
> 1) one FreeIPA cluster with all users (feeded from an existing LDAP) 2) each site with its own samba4 AD to
> manage windows resources (workstations, printers, etc) and authenticating users against the FreeIPA. This setup
> is working but I wonder if I can make the Samba4 ADs see the FreeIPA users and groups to define ACLs and
> GPO. To illustrate: (c.f. attachment:FreeIPA-Samba4AD.svg)
> [...]
> <ab> nebuchadnezzar: not supported.
> <ab> nebuchadnezzar: (not supported yet). Also Samba AD DC with MIT Kerberos currently cannot trust freeIPA
> due to a bug in Samba. Heimdal version sort of works.
> [...]
> <nebuchadnezzar> ab: thanks, does this requires something on the samba side? like making samba4 using sssd
> to access FreeIPA infos?
> <ab> nebuchadnezzar: there are some things missing on ipa side, some on samba.
> [...]
> <nebuchadnezzar> ab: OK, do you have some tikets or RFC pages to see if we can make some contribution? We
> pay some developpment on the samba side, maybe we can do a little on FreeIPA side?
> <ab> nebuchadnezzar: it is not a money question, we need some development forces as I'm overloaded on the AD dev front
> [...]
> <nebuchadnezzar> thanks, do you want me to explain our use case more clearly? Or just chating about what
> need to be done and see if we can propose a patch?
> <ab> yes, explain your use case
> <nebuchadnezzar> OK, I'll do that
> <nebuchadnezzar> thanks a lot
> <ab> I know what needs to be done, I just have limited time to do it
> <ab> Read this: http://talks.vda.li/2017/SambaXP/freeipa_gc.pdf
> <ab> this is a presentation I made at the latest SambaXP about global catalog support in FreeIPA
> <ab> this is what we are currently missing
> <ab> to allow AD DCs to look up IPA users over trust
L'idée est de vérifier que l'on peut gérer plusieurs domaine AD (2 etab) avec un FreeIPA en aca
* Monter une maquette
* Vérifier que l'on peut se connecter depuis un PC Etab1 sur une ressource de l'Etab2 grâce à l'authentification FreeIpa
* faire un bilan / samba :
** GPO ?
** trusted resource ?
NB : Cela n'a sans doute pas d'intérêt dans le cadre de ce scénario mais on me dit que Cadoles a créolisé l'outil
* https://forge.cadoles.com/Cadoles/eole-freeipa
* https://forge.cadoles.com/Cadoles/eole-freeipa-client
Profiter de ce scénario pour rédiger le CR de l'atelier ;)
h3. Extrait de conversation IRC IRC:
> <nebuchadnezzar> As far as I understand the documentation, I found only scenarios where people have an AD
> and plug a FreeIPA to permit some Linux workstation to access AD resources. I would like to make the other way:
> 1) one FreeIPA cluster with all users (feeded from an existing LDAP) 2) each site with its own samba4 AD to
> manage windows resources (workstations, printers, etc) and authenticating users against the FreeIPA. This setup
> is working but I wonder if I can make the Samba4 ADs see the FreeIPA users and groups to define ACLs and
> GPO. To illustrate: (c.f. attachment:FreeIPA-Samba4AD.svg)
> [...]
> <ab> nebuchadnezzar: not supported.
> <ab> nebuchadnezzar: (not supported yet). Also Samba AD DC with MIT Kerberos currently cannot trust freeIPA
> due to a bug in Samba. Heimdal version sort of works.
> [...]
> <nebuchadnezzar> ab: thanks, does this requires something on the samba side? like making samba4 using sssd
> to access FreeIPA infos?
> <ab> nebuchadnezzar: there are some things missing on ipa side, some on samba.
> [...]
> <nebuchadnezzar> ab: OK, do you have some tikets or RFC pages to see if we can make some contribution? We
> pay some developpment on the samba side, maybe we can do a little on FreeIPA side?
> <ab> nebuchadnezzar: it is not a money question, we need some development forces as I'm overloaded on the AD dev front
> [...]
> <nebuchadnezzar> thanks, do you want me to explain our use case more clearly? Or just chating about what
> need to be done and see if we can propose a patch?
> <ab> yes, explain your use case
> <nebuchadnezzar> OK, I'll do that
> <nebuchadnezzar> thanks a lot
> <ab> I know what needs to be done, I just have limited time to do it
> <ab> Read this: http://talks.vda.li/2017/SambaXP/freeipa_gc.pdf
> <ab> this is a presentation I made at the latest SambaXP about global catalog support in FreeIPA
> <ab> this is what we are currently missing
> <ab> to allow AD DCs to look up IPA users over trust