Issue #8319: Support server referrals for enterprise principals - freeipa

freeipa

#8319 Support server referrals for enterprise principals

Closed: fixed 4 years ago by abbra. Opened 4 years ago by abbra.

When S4U2Self is requested by a service from IPA realm utilizing enterprise principal, impersonated user might actually come from a trusted forest. In such case the target service will not receive PAC of the user in the current implementation of FreeIPA KDB driver.

PAC record in the S4U2Self can be used by the service to obtain most up to date information about user's group membership as seen by the client's realm KDC. There are applications which utilize this: Microsoft SQL Server is one of those, but https://github.com/SSSD/sssd/issues/5043 suggests we want it to be supported for SSSD as well.

The purpose of this ticket is to track initial S4U2Self over cross-realm support for enterprise princpials. While there are limits of what could be supported in MIT Kerberos before 1.18, we probably can make the path of 'service in IPA realm, client in AD forest' supported.

Metadata Update from @abbra:
- Issue assigned to abbra
- Issue set to the milestone: FreeIPA 4.8

4 years ago

abbra commented 4 years ago

PR: https://github.com/freeipa/freeipa/pull/4677

abbra commented 4 years ago

master:

0317255 ipa-kdb: add UPN_DNS_INFO PAC structure
23a4953 ipa-print-pac: acquire and print PAC record for a user
0f881ca ipa-tests: add a test to make sure MS-PAC is produced by KDC
44a255d kdb: add minimal server referrals support for enterprise principals
015ae27 ipa-kdb: add asserted identity SIDs
3e20a96 ipa-kdb: Always allow services to get PAC if needed
3611fc5 ipa-kdb: add primary group to list of groups in MS-PAC
ef59cb8 ipa-kdb: cache local TGS in the driver context
b5876f3 ipa-kdb: refactor principal lookup to support S4U2Self correctly
52da0d6 test_smb: test S4U2Self operation by IPA service
4ff972c azure: do not run test_commands due to failures in low memory cases

abbra commented 4 years ago

ipa-4-8:

4723100 ipa-kdb: add UPN_DNS_INFO PAC structure
1a01e46 ipa-print-pac: acquire and print PAC record for a user
ca99bf2 ipa-tests: add a test to make sure MS-PAC is produced by KDC
1990e39 kdb: add minimal server referrals support for enterprise principals
110812b ipa-kdb: add asserted identity SIDs
741f64f ipa-kdb: Always allow services to get PAC if needed
6c844c7 ipa-kdb: add primary group to list of groups in MS-PAC
68a0790 ipa-kdb: cache local TGS in the driver context
601151e ipa-kdb: refactor principal lookup to support S4U2Self correctly
eeb7004 test_smb: test S4U2Self operation by IPA service
5f292b2 azure: do not run test_commands due to failures in low memory cases

Metadata Update from @abbra:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

4 years ago

rcritten commented 4 years ago

master:

676774d kdb: handle enterprise principal lookup in AS_REQ
28389fe Add design page for managing IPA resources as a user from a trusted Active Directory forest
ecc0a96 support using trust-related operations in the server console
973e0c0 idviews: handle unqualified ID override lookups from Web UI
bee4204 Support adding user ID overrides as group and role members
306304b tests: account for ID overrides as members of groups and roles
0ba64b1 Web UI: allow users from trusted Active Directory forest manage IPA
9248d23 ipatests: test that adding Active Directory user to a role makes it an administrator

rcritten commented 4 years ago

ipa-4-8:

6abade3 kdb: handle enterprise principal lookup in AS_REQ
afe9191 support using trust-related operations in the server console
2ffb4fd idviews: handle unqualified ID override lookups from Web UI
8cce2bb Support adding user ID overrides as group and role members
5e8df37 tests: account for ID overrides as members of groups and roles
99e613e Web UI: allow users from trusted Active Directory forest manage IPA
6b0f8f3 ipatests: test that adding Active Directory user to a role makes it an administrator

Metadata

Assignee

abbra

Tags

None

Blocking

None

Depending on

None

Priority

None

Milestone

FreeIPA 4.8

None

affects_doc

None

source

None

knownissue

None

type

None

blockedby

None

test_case

None

component

None

blocking

None

on_review

None

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

tester

None

changelog

None

design

None

rhbz

None

freeipa

Source Code

#8319 Support server referrals for enterprise principals Closed: fixed 4 years ago by abbra. Opened 4 years ago by abbra.

Metadata

#8319 Support server referrals for enterprise principals

Closed: fixed 4 years ago by abbra. Opened 4 years ago by abbra.