#5668 trust topology code must handle overlapping TLNs
Closed: Duplicate None Opened 8 years ago by abbra.

Section 6.1.6.9.3.2 "Building Well-Formed msDS-TrustForestTrustInfo Messages" of MS-ADTS lays out the rules for proper top level names (TLNs) for the forest being trusted. We need to check if the forest we are about to trust is a subordinate or one of our realm domains and create corresponding TLN exclusion entries in addition to the TLN entries otherwise trust wouldn't be usable.

Below is an example where IPA realm [VDA.LI] establishes AD trust with [SAMBA-AD.VDA.LI] and the latter one places IPA into disabled mode because samba-ad.vda.li is subordinate of vda.li.

# samba-tool domain trust show vda.li
LocalDomain Netbios[SAMBA-AD] DNS[samba-ad.vda.li] SID[S-1-5-21-3444333510-3074350722-3801041152]
TrusteDomain:

NetbiosName:    VDALI
DnsName:        vda.li
SID:            S-1-5-21-245462123-1556963680-2572160461
Type:           0x2 (UPLEVEL)
Direction:      0x3 (BOTH)
Attributes:     0x8 (FOREST_TRANSITIVE)
PosixOffset:    0x00000000 (0)
kerb_EncTypes:  0x1c (RC4_HMAC_MD5,AES128_CTS_HMAC_SHA1_96,AES256_CTS_HMAC_SHA1_96)
Namespaces[1] TDO[vda.li]:
TLN: Status[Disabled-Conflicting]     DNS[*.vda.li]

ab: needed for proper Samba AD coordination, depends on fixes on Samba side too (I'm driving that)

4.4.0 was released, moving open tickets to 4.4.1

Closing as duplicate of ticket #6076.

Metadata Update from @abbra:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.4.2

7 years ago

Login to comment on this ticket.

Metadata