#1842 Allow usage of enterprise principals
Closed: Fixed None Opened 6 years ago by sbose.

This ticket is a sub-task of #364, but since this functionality might be useful for the AD provider even without trust, I thought it is a good idea to track it separately.

Enterprise principals are used in environments with more than one realm but the realms all belong to a large unit which is called enterprise in this context. See section 5 of http://tools.ietf.org/html/rfc6806 for more details.

A typical use case are AD environments with trust but also in an environment with only a single AD domain enterprise principals are useful when additional UPN suffixes are used. E.g. if there is a AD domain ad.com with an additional UPN suffix extra.dom and a user abc configured with the additional UPN suffix

kinit abc@AD.COM

will work, but neither

kinit abc@EXTRA.DOM

nor

kinit -C abc@EXTRA.DOM

What is needed is to handle the abc@EXTRA.DOM principal as enterprise principal

kinit -E abc@EXTRA.DOM

To make the last example work AD.COM must be the default realm in /etc/krb5.conf, which would be typical for an AD domain member.

SSSD should get a new boolean option krb5_use_enterprise_principal and the Kerberos child should make sure that the appropriate default realm is used for the AS_REQ. By default the new option should be false, but for the AD provider it should be true.


Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.10 beta

Fields changed

patch: 0 => 1
status: new => assigned

resolution: => fixed
status: assigned => closed

Metadata Update from @sbose:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.10 beta

2 years ago

Login to comment on this ticket.

Metadata