Samba4/Proposal for IPA to AD MIT trust

MIT Trusts design

An implementation of the requirements for an IPA to AD trust

Components

KDC

The KDC will need to be modified at least to give referrals to the AD domain for user and machine requests.

LDAP server

Operating as current FreeIPA versions do.

IPA servers

Servers will use SSSD to lookup user identity information in AD, via a RPC proxy at the IPA server

IPA clients

Clients will need a Kerberos library capable of following referrals to find the AD servers.

The SSSD will need to lookup user identity information in AD, via a RPC proxy at the IPA server

Windows server sync

Something like AD-sync will need to operate, to keep shadow copies of all IPA users in AD. However, AD users will not need to be in IPA (this may lead to all users being in AD at some sites)

Advantages

Much less work than implementing Forest trusts

Disadvantages

Little change from the current situation with AD-sync, as all users in FreeIPA must be copied into AD (except for their passwords), so that AD can create a PAC for these users (without a PAC, windows clients and servers do not know what groups a user is in, and will reject the Kerberos ticket).

This copy of the user would also have it's own principal, which can also cause confusion, as the user now exists twice. IPA clients reading both AD and IPA directories would need to filter out these duplicate users.