#3612 RFE: Provide a way to authenticate with one-way trusted AD domains
Closed: cloned-to-github 3 years ago by pbrezina. Opened 6 years ago by jhrozek.

This is a sanitized version of a useful comment Sumit Bose wrote in the downstream bugzilla.

In contrast to Windows clients a RHEL/Linux client with SSSD cannot ask a DC of the joined domain for the information about users from trusted domains but has to connect to the DCs of the trusted domain to get this information. One reason is that the Windows specific protocols used by Windows clients to get this data from the local DCs are not supported by SSSD. Another reason is that SSSD might need additional information about the user or group, e.g. POSIX attributes, which cannot be retrieved from the local DC.

Since AD does not allow anonymous LDAP binds SSSD uses the machine account and the host keys stored in /etc/krb5.keytab to get a Kerberos ticket and then do a authenticated SASL bind to the LDAP (or Global Catalog) port of the domain controller. If the RHEL client is joined to FOO the Kerberos TGT will be issued for HOSTNAME$@FOO. To access a service from a trusted domain BAR a cross realm ticket is needed, in this case krbtgt/BAR@FOO But due to the one-way trust this principal does not exist because BAR does not trust principals from FOO, only the other way round.

If it is possible to have a generic account in BAR which can be used to lookup the user and group information you can setup a second domain (not a trusted domain) in sssd.conf for BAR with ldap_default_bind_dn and ldap_default_authtok (it would be possible to use Kerberos as well). Unfortunately those options are currently not available for the trusted domain configuration domain/foo/bar which will cause some restrictions to cross-domain group memberships.

This RFE is about enabling cases like this by providing a way for the trusted domains to authenticate.


Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1529445

6 years ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD Future releases (no date set yet)
- Issue tagged with: RFE

6 years ago

Metadata Update from @thalman:
- Issue tagged with: Future milestone, bugzilla

4 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4633

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @pbrezina:
- Issue close_status updated to: cloned-to-github
- Issue status updated to: Closed (was: Open)

3 years ago

Login to comment on this ticket.

Metadata