#8319 Support server referrals for enterprise principals
Closed: fixed 3 years ago by abbra. Opened 3 years ago by abbra.

When S4U2Self is requested by a service from IPA realm utilizing enterprise principal, impersonated user might actually come from a trusted forest. In such case the target service will not receive PAC of the user in the current implementation of FreeIPA KDB driver.

PAC record in the S4U2Self can be used by the service to obtain most up to date information about user's group membership as seen by the client's realm KDC. There are applications which utilize this: Microsoft SQL Server is one of those, but https://github.com/SSSD/sssd/issues/5043 suggests we want it to be supported for SSSD as well.

The purpose of this ticket is to track initial S4U2Self over cross-realm support for enterprise princpials. While there are limits of what could be supported in MIT Kerberos before 1.18, we probably can make the path of 'service in IPA realm, client in AD forest' supported.


Metadata Update from @abbra:
- Issue assigned to abbra
- Issue set to the milestone: FreeIPA 4.8

3 years ago

master:

  • 0317255 ipa-kdb: add UPN_DNS_INFO PAC structure
  • 23a4953 ipa-print-pac: acquire and print PAC record for a user
  • 0f881ca ipa-tests: add a test to make sure MS-PAC is produced by KDC
  • 44a255d kdb: add minimal server referrals support for enterprise principals
  • 015ae27 ipa-kdb: add asserted identity SIDs
  • 3e20a96 ipa-kdb: Always allow services to get PAC if needed
  • 3611fc5 ipa-kdb: add primary group to list of groups in MS-PAC
  • ef59cb8 ipa-kdb: cache local TGS in the driver context
  • b5876f3 ipa-kdb: refactor principal lookup to support S4U2Self correctly
  • 52da0d6 test_smb: test S4U2Self operation by IPA service
  • 4ff972c azure: do not run test_commands due to failures in low memory cases

ipa-4-8:

  • 4723100 ipa-kdb: add UPN_DNS_INFO PAC structure
  • 1a01e46 ipa-print-pac: acquire and print PAC record for a user
  • ca99bf2 ipa-tests: add a test to make sure MS-PAC is produced by KDC
  • 1990e39 kdb: add minimal server referrals support for enterprise principals
  • 110812b ipa-kdb: add asserted identity SIDs
  • 741f64f ipa-kdb: Always allow services to get PAC if needed
  • 6c844c7 ipa-kdb: add primary group to list of groups in MS-PAC
  • 68a0790 ipa-kdb: cache local TGS in the driver context
  • 601151e ipa-kdb: refactor principal lookup to support S4U2Self correctly
  • eeb7004 test_smb: test S4U2Self operation by IPA service
  • 5f292b2 azure: do not run test_commands due to failures in low memory cases

Metadata Update from @abbra:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

3 years ago

master:

  • 676774d kdb: handle enterprise principal lookup in AS_REQ
  • 28389fe Add design page for managing IPA resources as a user from a trusted Active Directory forest
  • ecc0a96 support using trust-related operations in the server console
  • 973e0c0 idviews: handle unqualified ID override lookups from Web UI
  • bee4204 Support adding user ID overrides as group and role members
  • 306304b tests: account for ID overrides as members of groups and roles
  • 0ba64b1 Web UI: allow users from trusted Active Directory forest manage IPA
  • 9248d23 ipatests: test that adding Active Directory user to a role makes it an administrator

ipa-4-8:

  • 6abade3 kdb: handle enterprise principal lookup in AS_REQ
  • afe9191 support using trust-related operations in the server console
  • 2ffb4fd idviews: handle unqualified ID override lookups from Web UI
  • 8cce2bb Support adding user ID overrides as group and role members
  • 5e8df37 tests: account for ID overrides as members of groups and roles
  • 99e613e Web UI: allow users from trusted Active Directory forest manage IPA
  • 6b0f8f3 ipatests: test that adding Active Directory user to a role makes it an administrator

Login to comment on this ticket.

Metadata