#7172 Enterprise principals should be able to trigger a refresh of the trusted domain data in the KDC
Closed: fixed 2 years ago Opened 2 years ago by sbose.

During 'ipa trust-add ...' information about the trusted forest, its domain and domain suffices are written into the replicated LDAP tree to make this data available to clients and other services.

E.g. the KDC needs this information to know how to handle tickets from the trusted forest. If an unknown domain is found while the ticket is processed ipadb_reinit_mspac() is called to refresh the data.

Since some time IPA supports enterprise principals and can redirect a client to a different realm if the KDC assumes the principal comes from a trusted domain. To do this the data about the trusted forest is needed as well.

Since some time SSSD also enables enterprise principals automatically if it detects the alternative domain suffixes are defined for the trusted domain. As a result the clients will start sending kinit request with enterprise principals which the KDC currently cannot handle because ipadb_reinit_mspac() is only called while processing remote tickets but while processing AS request.

To reproduce setup a new trust and the call

KRB5_TRACE=/dev/stdout kinit -E abc@TRUSTED.FOREST

As a response you will receive a 'Client not found in Kerberos database' from the IPA KDC. And this will not change if no other traffic triggers an update of the trusted domain data in the KDC.

After a restart the IPA KDC will return a 'Realm not local to KDC' together with the name of the realm the client should check next. This restart should not be needed and after a reasonable timeout (currently ipadb_reinit_mspac() uses 60s) the KDC should be able to handle update data of the trusted forest.


Metadata Update from @sbose:
- Issue assigned to sbose

2 years ago

Metadata Update from @sbose:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1496775

2 years ago

Metadata Update from @tkrizek:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/1115
- Issue priority set to: critical
- Issue set to the milestone: FreeIPA 4.5.4

2 years ago

master:

  • fe1aad7 ipa-kdb: reinit trusted domain data for enterprise principals

ipa-4-6:

  • f7da701 ipa-kdb: reinit trusted domain data for enterprise principals

ipa-4-5:

  • 4e74685 ipa-kdb: reinit trusted domain data for enterprise principals

Metadata Update from @tkrizek:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

2 years ago

Login to comment on this ticket.

Metadata