Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 1891056
Description of problem: [MS-ADTS] 6.1.6.9.3.2 requires msDS-TrustForestTrustInfo attribute of trusted domain information in Active Directory to conform certain rules. One side-effect of those rules is that list of UPN suffixes reported through the netr_DsRGetForestTrustInformation function is dynamically filtered to deduplicate subordinate suffixes. It means that if list of UPN suffixes contains the following top level names (TLNs): fabrikam.com sub.fabrikam.com then netr_DsRGetForestTrustInformation would only return 'fabrikam.com' as the TLN, fully filtering 'sub.fabrikam.com'. IPA KDB driver used exact comparison of the UPN suffixes so any subordinate had to be specified exactly. Modify logic so that if exact check does not succeed, we validate a realm to test being a subordinate of the known UPN suffixes. The subordinate check is done by making sure UPN suffix is at the end of the test realm and is immediately preceded with a dot. Because the function to check suffixes potentially called for every Kerberos principal, precalculate and cache length for each UPN suffix at the time we retrieve the list of them. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: 6.1.6.9.3.2 Building Well-Formed msDS-TrustForestTrustInfo Messages https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/2994b19c-0 4ff-430d-b788-c82d334b31bc
Metadata Update from @rcritten: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1891056
master:
ipa-4-8:
Metadata Update from @rcritten: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
ipa-4-9:
Login to comment on this ticket.