Learn more about these different git repos.
Other Git URLs
When IPA ticket #3909 is resolved, IPA LDAP will have information about subdomains of the trusted forests.
In order to issue tickets to principals coming from those subdomains, IPA KDC needs to know explicit trust paths, configured in krb5.conf via 'capaths' stanza.
SSSD should be able to pull the data and write capaths down for all IPA clients (the same trust path resolution code is in use by both MIT KDC and client library).
Each container (cn=TRUSTED.DOMAIN,cn=ad,cn=trusts,SUFFIX) will have subdomains linked to TRUSTED.DOMAIN. Therefore, for each of them a seaprate capaths is needed. Additionally, a reverse capaths for IPA realm is required.
[capaths] SUBDOM.SUB = { IPA.LAB = DOM2.BAR } IPA.LAB = { SUBDOM.SUB = DOM2.BAR }
Do I see it correctly that the same functionality can be achieved by adding a check_transited_realms method to the KDC DAL driver? If this is the case it might still be useful to let sssd add capaths because it looks there is no reference implementation for this method, so it might take a bit of research to get it working. Nevertheless I think is should be handled by the DAL driver in the long run.
If we can do it in DAL, we should do it in DAL. However, I'm concerned also about IPA clients -- they need to know whom to talk back, especially when logging-in AD users by password rather than with Kerberos and then making a ticket for them.
In the latter case capaths on client side should be used.
Fields changed
owner: somebody => sbose status: new => assigned
Please note that fixing this ticket makes https://fedorahosted.org/sssd/ticket/2080 invalid.
patch: 0 => 1
milestone: NEEDS_TRIAGE => SSSD 1.11.1 rhbz: => 0
resolution: => fixed status: assigned => closed
Metadata Update from @abbra: - Issue assigned to sbose - Issue set to the milestone: SSSD 1.11.1
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/3135
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.