#3125 [RFE] Build a Global Catalog Service
Opened 6 years ago by simo. Modified 5 months ago

We found out at the Ad Interop lab that modern versions of Windows (Win7, Win8, 2008R2, 2012) never fall back to lsarpc for Sid-name resolution. They all try to access the Global Catalog and fall back to try straight LDAP if that fails, if LDAP also fails they just return an error.

This means we should probably build a Global Catalog Service to serve trusted realm clients.

We can build this service in a few ways. Possible ideas are:

  • plugin that opens GC port and serves data
  • new instance that we synchronize one way from the main instance
  • proxy instance that uses a plugin to transform the main instance data on the fly

Eventually we may also use it to cache info for our own domain clients, but that would be low prio for now.


Rename "trusts" component to "Trusts" to achieve correct sorting.

Alexander owns this feature.

Delayed due to FreeIPA 3.3.x Trust bugfixing efforts.

Moving to needs triage so that we can revisit the target milestone of this feature.

Stretch goal, after One-Way trusts.

Too late to be included in 4.2 - moving to later release.

Metadata Update from @simo:
- Issue assigned to abbra
- Issue set to the milestone: FreeIPA 4.5

2 years ago

Metadata Update from @mbasti:
- Issue close_status updated to: None
- Issue set to the milestone: FreeIPA 4.5.1 (was: FreeIPA 4.5)

2 years ago

Metadata Update from @pvoborni:
- Issue set to the milestone: FreeIPA 4.7 (was: FreeIPA 4.5.1)

2 years ago

This issue seems to always get pushed to later releases but in my experience it makes a truly two-way trust between Windows AD and IPA impossible. For example i can't just grant an ipa user access to a cifs share on a Windows server 2016 and using samba with freeipa to deliver network shares to Windows 10 Machines also does not work.

So effectively until this is resolved i cannot authenticate network shares against IPA, which is kind of a big limitation and would merit more attention, or am i mistaken?

No need to remind about its importance. When there will be enough progress to allow independent testing, I'll update this ticket.

Current progress can be checked with my talk at SambaXP 2017: https://vda.li/talks/2017/SambaXP/freeipa_gc.pdf

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)

9 months ago

FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone

Metadata Update from @abbra:
- Issue set to the milestone: FreeIPA 4.8 (was: FreeIPA 4.7.1)

8 months ago

Moving to at least FreeIPA 4.8 release to avoid giving false hopes to anyone watching this issue. At the moment we are fixing more urgent issues around trust (like read-only one-way trust).

This is a huge issue for us.

When is v4.8 due out?

My comment from 3 months ago still stands. There is no magic in release version numbers -- the feature is not currently worked on due to other, more prioritized and urgent, issues.

Login to comment on this ticket.

Metadata