14faec9 ipa provider: expand search base to cover trusted domain objects

1 file Authored by abbra 4 years ago, Committed by jhrozek 4 years ago,
    ipa provider: expand search base to cover trusted domain objects
    
    In case of a trust between FreeIPA and an Active Directory, domain
    controller would use a TDO object in the trusting domain to
    authenticate. Due to how trusted domain objects are used in Active
    Directory, a domain controller from the trusted domain either synthesize
    a Kerberos ticket without MS-PAC or would use NTLMSSP to authenticate.
    On IPA master smbd process will attempt to validate successfully
    authenticated TDO principal by looking at its MS-PAC structure, only to
    find it is missing. As result, smbd will revert to a direct getpwnam()
    to see if this user exists on the system.
    
    Because TDO objects are stored under cn=trusts,$SUFFIX in FreeIPA, they
    couldn't be found by SSSD which uses cn=accounts,$SUFFIX by default. Add
    a search base to look up cn=trusts,$SUFFX to allow TDO objects to be
    queried.
    
    On FreeIPA side access controls are put in place so that only AD trust
    agents are able to see a content of the cn=trusts,$SUFFIX subtree.
    
    Signed-of-by: Alexander Bokovoy <abokovoy@redhat.com>
    
    Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>