#3655 SSSD produces suboptimal capaths for directly trusted domains

Created 2 months ago by abbra
Modified 2 months ago

I noticed that capaths generator in SSSD does not handle the case when IPA has directly shared keys with a realm, e.g. for forest roots. SSSD generates capath as FOO.BAR = { EXAMPLE.COM = FOO.BAR } in this case while it should be FOO.BAR = { EXAMPLE.COM = . }. Notice the dot.

The difference is that client has to perform one more transition via FOO.BAR KDC. In a trace this looks like the following:

[4577] 1519979380.924180: Received TGT for RAWHIDE.VDA.LI; advancing current realm

instead of

[4610] 1519980114.944440: Received TGT for service realm: krbtgt/RAWHIDE.VDA.LI@L.IPA.COOL
2 months ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 2.0

Login to comment on this ticket.