#1842 Allow usage of enterprise principals
Closed: Fixed None Opened 7 years ago by sbose.

This ticket is a sub-task of #364, but since this functionality might be useful for the AD provider even without trust, I thought it is a good idea to track it separately.

Enterprise principals are used in environments with more than one realm but the realms all belong to a large unit which is called enterprise in this context. See section 5 of http://tools.ietf.org/html/rfc6806 for more details.

A typical use case are AD environments with trust but also in an environment with only a single AD domain enterprise principals are useful when additional UPN suffixes are used. E.g. if there is a AD domain ad.com with an additional UPN suffix extra.dom and a user abc configured with the additional UPN suffix

kinit abc@AD.COM

will work, but neither

kinit abc@EXTRA.DOM

nor

kinit -C abc@EXTRA.DOM

What is needed is to handle the abc@EXTRA.DOM principal as enterprise principal

kinit -E abc@EXTRA.DOM

To make the last example work AD.COM must be the default realm in /etc/krb5.conf, which would be typical for an AD domain member.

SSSD should get a new boolean option krb5_use_enterprise_principal and the Kerberos child should make sure that the appropriate default realm is used for the AS_REQ. By default the new option should be false, but for the AD provider it should be true.


Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.10 beta

Fields changed

patch: 0 => 1
status: new => assigned

resolution: => fixed
status: assigned => closed

Metadata Update from @sbose:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.10 beta

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2884

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata