#7015 allow to modify list of UPNs of a trusted forest
Closed: fixed 2 years ago Opened 2 years ago by abbra.

There are two ways for maintaining user principal names (UPNs) in Active
Directory:
- associate UPN suffixes with the forest root and then allow for each user account to choose UPN suffix for logon;
- directly modify userPrincipalName attribute in LDAP

Both approaches lead to the same result: AD DC accepts user@UPN-Suffix as a proper principal in AS-REQ and TGS-REQ.

The latter (directly modify userPrincipalName) case has a consequence that this UPN suffix is not visible via netr_DsRGetForestTrustInformation DCE RPC call. As result, FreeIPA KDC will not know that a particular UPN suffix does belong to a trusted Active Directory forest. As result, SSSD will not be able to authenticate and validate this user from a trusted Active Directory forest.

This is especially true for one-word UPNs which otherwise wouldn't work properly on Kerberos level for both FreeIPA and Active Directory.

Administrators are responsible for amending the list of UPNs associated with the forest in this case. With this commit, an option is added to 'ipa trust-mod' that allows specifying arbitrary UPN suffixes to a trusted forest root.


Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1461053

2 years ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1461053

2 years ago

Metadata Update from @mbabinsk:
- Issue priority set to: critical
- Issue set to the milestone: FreeIPA 4.5.2

2 years ago

ipa-4-5:

  • 9a31b21 trust-mod: allow modifying list of UPNs of a trusted forest

master:

  • abb6384 trust-mod: allow modifying list of UPNs of a trusted forest

Metadata Update from @mbabinsk:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

2 years ago

master:

  • b25412f WebUI: add support for changing trust UPN suffixes

ipa-4-5:

  • e22b618 WebUI: add support for changing trust UPN suffixes

Login to comment on this ticket.

Metadata