0648053 ipa provider: always use a special keytab to talk to a trusted DC

2 files Authored by abbra 5 years ago, Committed by jhrozek 5 years ago,
    ipa provider: always use a special keytab to talk to a trusted DC
    
    When FreeIPA is set up to trust an Active Directory forest, we should be
    using trusted domain object credentials regardless of the trust
    direction. Previously, SSSD relied on FreeIPA KDC issuing a cross-realm
    referral towards a trusted domain. However, this does not work
    currently with Samba AD and in general we want to move away to use
    TDO in all cases as it is guaranteed to have correct permissions on AD
    side.
    
    Signed-of-by: Alexander Bokovoy <abokovoy@redhat.com>
    
    Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>