Dan Dietterich
2017-03-22 14:56:22 UTC
I am trying to understand if it is possible to NAT between a network running Active Directory (AD) and a network running FreeIPA and have one-way trust from FreeIPA to the AD.
My hypothesis is that it is not possible, for two reasons. First, I understand that Kerberos uses several techniques (ip addresses in the protocol, reverse DNS lookups) to make sure there is no "man in the middle." The proxy is a man in the middle. Second, I understand that FreeIPA retrieves the layout of domain controllers (DC) from the initial AD DC it builds the trust with. The addresses returned are valid in the AD network and are not translated into the FreeIPA network. FreeIPA will not be able to route to those IP addresses.
I have read about proxying Kerberos protocol over https (https://web.mit.edu/kerberos/krb5-devel/doc/admin/https.html)
I have read about proxying LDAP (https://wiki.samba.org/index.php/OpenLDAP_as_proxy_to_AD)
I do not know all of the protocols used to operate AD <-> FreeIPA trust, so I'm not sure there is even software available to do such a thing.
Thanks for any insight!
Dan
My hypothesis is that it is not possible, for two reasons. First, I understand that Kerberos uses several techniques (ip addresses in the protocol, reverse DNS lookups) to make sure there is no "man in the middle." The proxy is a man in the middle. Second, I understand that FreeIPA retrieves the layout of domain controllers (DC) from the initial AD DC it builds the trust with. The addresses returned are valid in the AD network and are not translated into the FreeIPA network. FreeIPA will not be able to route to those IP addresses.
I have read about proxying Kerberos protocol over https (https://web.mit.edu/kerberos/krb5-devel/doc/admin/https.html)
I have read about proxying LDAP (https://wiki.samba.org/index.php/OpenLDAP_as_proxy_to_AD)
I do not know all of the protocols used to operate AD <-> FreeIPA trust, so I'm not sure there is even software available to do such a thing.
Thanks for any insight!
Dan