ipa provider: expand search base to cover trusted domain objects
In case of a trust between FreeIPA and an Active Directory, domain
controller would use a TDO object in the trusting domain to
authenticate. Due to how trusted domain objects are used in Active
Directory, a domain controller from the trusted domain either synthesize
a Kerberos ticket without MS-PAC or would use NTLMSSP to authenticate.
On IPA master smbd process will attempt to validate successfully
authenticated TDO principal by looking at its MS-PAC structure, only to
find it is missing. As result, smbd will revert to a direct getpwnam()
to see if this user exists on the system.
Because TDO objects are stored under cn=trusts,$SUFFIX in FreeIPA, they
couldn't be found by SSSD which uses cn=accounts,$SUFFIX by default. Add
a search base to look up cn=trusts,$SUFFX to allow TDO objects to be
On FreeIPA side access controls are put in place so that only AD trust
agents are able to see a content of the cn=trusts,$SUFFIX subtree.
Signed-of-by: Alexander Bokovoy <firstname.lastname@example.org>
Reviewed-by: Jakub Hrozek <email@example.com>