#2093 sssd should write capaths for IPA trusted forests' subdomains
Closed: Fixed None Opened 5 years ago by abbra.

When IPA ticket #3909 is resolved, IPA LDAP will have information about subdomains of the trusted forests.

In order to issue tickets to principals coming from those subdomains, IPA KDC needs to know explicit trust paths, configured in krb5.conf via 'capaths' stanza.

SSSD should be able to pull the data and write capaths down for all IPA clients (the same trust path resolution code is in use by both MIT KDC and client library).

Each container (cn=TRUSTED.DOMAIN,cn=ad,cn=trusts,SUFFIX) will have subdomains linked to TRUSTED.DOMAIN. Therefore, for each of them a seaprate capaths is needed. Additionally, a reverse capaths for IPA realm is required.

[capaths]
SUBDOM.SUB = {
     IPA.LAB = DOM2.BAR
}
IPA.LAB = {
     SUBDOM.SUB = DOM2.BAR
}

Do I see it correctly that the same functionality can be achieved by adding a check_transited_realms method to the KDC DAL driver? If this is the case it might still be useful to let sssd add capaths because it looks there is no reference implementation for this method, so it might take a bit of research to get it working. Nevertheless I think is should be handled by the DAL driver in the long run.

If we can do it in DAL, we should do it in DAL. However, I'm concerned also about IPA clients -- they need to know whom to talk back, especially when logging-in AD users by password rather than with Kerberos and then making a ticket for them.

In the latter case capaths on client side should be used.

Fields changed

owner: somebody => sbose
status: new => assigned

Please note that fixing this ticket makes https://fedorahosted.org/sssd/ticket/2080 invalid.

patch: 0 => 1

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.11.1
rhbz: => 0

resolution: => fixed
status: assigned => closed

Metadata Update from @abbra:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.11.1

2 years ago

Login to comment on this ticket.

Metadata