Learn more about these different git repos.
Other Git URLs
This ticket is a sub-task of #364, but since this functionality might be useful for the AD provider even without trust, I thought it is a good idea to track it separately.
Enterprise principals are used in environments with more than one realm but the realms all belong to a large unit which is called enterprise in this context. See section 5 of http://tools.ietf.org/html/rfc6806 for more details.
A typical use case are AD environments with trust but also in an environment with only a single AD domain enterprise principals are useful when additional UPN suffixes are used. E.g. if there is a AD domain ad.com with an additional UPN suffix extra.dom and a user abc configured with the additional UPN suffix
kinit abc@AD.COM
will work, but neither
kinit abc@EXTRA.DOM
nor
kinit -C abc@EXTRA.DOM
What is needed is to handle the abc@EXTRA.DOM principal as enterprise principal
kinit -E abc@EXTRA.DOM
To make the last example work AD.COM must be the default realm in /etc/krb5.conf, which would be typical for an AD domain member.
SSSD should get a new boolean option krb5_use_enterprise_principal and the Kerberos child should make sure that the appropriate default realm is used for the AS_REQ. By default the new option should be false, but for the AD provider it should be true.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=924404
rhbz: => [https://bugzilla.redhat.com/show_bug.cgi?id=924404 924404]
Fields changed
milestone: NEEDS_TRIAGE => SSSD 1.10 beta
patch: 0 => 1 status: new => assigned
resolution: => fixed status: assigned => closed
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=972357 (Fedora)
rhbz: [https://bugzilla.redhat.com/show_bug.cgi?id=924404 924404] => [https://bugzilla.redhat.com/show_bug.cgi?id=924404 924404], [https://bugzilla.redhat.com/show_bug.cgi?id=972357 972357]
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1079783 (Red Hat Enterprise Linux 6)
rhbz: [https://bugzilla.redhat.com/show_bug.cgi?id=924404 924404], [https://bugzilla.redhat.com/show_bug.cgi?id=972357 972357] => [https://bugzilla.redhat.com/show_bug.cgi?id=924404 924404], [https://bugzilla.redhat.com/show_bug.cgi?id=972357 972357], [https://bugzilla.redhat.com/show_bug.cgi?id=1079783 1079783]
Metadata Update from @sbose: - Issue assigned to sbose - Issue set to the milestone: SSSD 1.10 beta
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/2884
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Log in to comment on this ticket.