9a31b21 trust-mod: allow modifying list of UPNs of a trusted forest

3 files Authored by abbra 2 years ago , Committed by mbabinsk 2 years ago ,
    trust-mod: allow modifying list of UPNs of a trusted forest
    
    There are two ways for maintaining user principal names (UPNs) in Active
    Directory:
     - associate UPN suffixes with the forest root and then allow for each
       user account to choose UPN suffix for logon
     - directly modify userPrincipalName attribute in LDAP
    
    Both approaches lead to the same result: AD DC accepts user@UPN-Suffix
    as a proper principal in AS-REQ and TGS-REQ.
    
    The latter (directly modify userPrincipalName) case has a consequence
    that this UPN suffix is not visible via netr_DsRGetForestTrustInformation
    DCE RPC call. As result, FreeIPA KDC will not know that a particular UPN
    suffix does belong to a trusted Active Directory forest. As result, SSSD
    will not be able to authenticate and validate this user from a trusted
    Active Directory forest.
    
    This is especially true for one-word UPNs which otherwise wouldn't work
    properly on Kerberos level for both FreeIPA and Active Directory.
    
    Administrators are responsible for amending the list of UPNs associated
    with the forest in this case. With this commit, an option is added to
    'ipa trust-mod' that allows specifying arbitrary UPN suffixes to a
    trusted forest root.
    
    As with all '-mod' commands, the change replaces existing UPNs when
    applied, so administrators are responsible to specify all of them:
    
      ipa trust-mod ad.test --upn-suffixes={existing.upn,another_upn,new}
    
    Fixes: https://pagure.io/freeipa/issue/7015
    Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
    
        
file modified
+2 -1
file modified
+2 -2
file modified
+2 -1