#1987 Improve handling of enterprise principals with multiple AD domains
Closed: Duplicate None Opened 10 years ago by sbose.

In https://bugzilla.redhat.com/show_bug.cgi?id=963818 two issue could be identified when SSSD was configured with two AD domains and enterprise principals were enabled for both domains. In this case there was a trust between both domains which mainly triggers the first issue. If there is no trust between the two AD domains the second issue would block authentication to one of the domains.

The two issues are:
1. The principal used in the TGS request was used to find a matching keytab entry for validation. Ideally a service principal from the realm of the user is taken for validation. When enterprise principals (or canonization) is used the realm of the principal used in the request and the realm in the returned ticket might differ. The realm from the ticket should be taken instead the one from the request.

  1. When an enterprise principal is created the default realm is required and added to the given principal. As a result the TGS result is send to the KDC of the default realm. Currently the default realm is taken from krb5.conf (if it is not defined there, authentication fails). If there is more than one AD domains configured in SSSD this will in general fail because there is only one default realm which will only work for one of the two domains. the krb5_child should set the default realm explicitly if enterprise principals are used.

sorry, #1931 is already tracking the BZ ticket.

resolution: => duplicate
status: new => closed

Metadata Update from @sbose:
- Issue assigned to sbose
- Issue set to the milestone: NEEDS_TRIAGE

7 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3029

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata