Bug 1847205

Summary: [RFE] Allow accounts stored in Azure AD access Linux systems joined into and managed by IdM.
Product: Red Hat Enterprise Linux 8 Reporter: Paul Gozart <pgozart>
Component: ipaAssignee: Florence Blanc-Renaud <frenaud>
Status: NEW --- QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.1CC: abokovoy, pasik, rcritten, tscherf
Target Milestone: rcKeywords: FutureFeature, Triaged
Target Release: 8.0   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Paul Gozart 2020-06-15 22:34:29 UTC 
Description of RFE:

After having a customer call with Dmitri from the IdM BU, he asked that I create this RFE on behalf of the customer.

Allow accounts stored in Azure AD access Linux systems joined into and managed by IdM.  Allow sudo, hbac and SSH key management for those accounts.

Large TAM customer currently has about 5,000 RHEL systems on-prem and about 3,000 RHEL systems in Azure with management asking for a larger RHEL-in-Azure footprint.  This RFE will allow the customer to continue adding RHEL subs as their focus continues to shift towards Azure.
Comment 3 Mike Murphy 2021-11-17 15:33:26 UTC 
from customer: Are there any efforts on supporting multifactor logins with users who have a microsoft authenticator token for example that could integrate into IDM ? This is the current configuration we have today for multi-factor authentication for a large chunk of users. Would this type of multifactor authentication be supported in our current configuration given we are reliant on an AD trust ?
Comment 4 Alexander Bokovoy 2021-11-17 15:40:53 UTC 
It is impossible to answer these questions without knowing specific details of the implementation in use.

A generic answer is that with Kerberos, the source of truth is the KDC that stores information about the user. In case of Active Directory, those are Active Directory domain controllers, not IdM servers. As far as I know, Active Directory has no support for multifactor authentication on Kerberos level. Instead, they have it all integrated on the Windows operating system level and use a different protocol to authenticate the user on Windows desktop and then obtain a Kerberos ticket based on that. This method is not supported and will unlikely be supported as it is all proprietary.

Once a Kerberos ticket granting ticket is obtained on Windows machine, it can be used to authenticate to RHEL IdM-enrolled machines over trust to Active Directory with the help of PuTTY or similar applications.