#8554 ipa-kdb: support subordinate/superior UPN suffixes
Closed: fixed 6 months ago by rcritten. Opened 6 months ago by rcritten.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 1891056

Description of problem:
[MS-ADTS] 6.1.6.9.3.2 requires msDS-TrustForestTrustInfo attribute of
trusted domain information in Active Directory to conform certain rules.
One side-effect of those rules is that list of UPN suffixes reported
through the netr_DsRGetForestTrustInformation function is dynamically
filtered to deduplicate subordinate suffixes.

It means that if list of UPN suffixes contains the following top level
names (TLNs):

fabrikam.com
sub.fabrikam.com

then netr_DsRGetForestTrustInformation would only return 'fabrikam.com'
as the TLN, fully filtering 'sub.fabrikam.com'.

IPA KDB driver used exact comparison of the UPN suffixes so any
subordinate had to be specified exactly.

Modify logic so that if exact check does not succeed, we validate a
realm to test being a subordinate of the known UPN suffixes. The
subordinate check is done by making sure UPN suffix is at the end of the
test realm and is immediately preceded with a dot.

Because the function to check suffixes potentially called for every
Kerberos principal, precalculate and cache length for each UPN suffix at
the time we retrieve the list of them.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
6.1.6.9.3.2 Building Well-Formed msDS-TrustForestTrustInfo Messages
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/2994b19c-0
4ff-430d-b788-c82d334b31bc

Metadata Update from @rcritten:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1891056

6 months ago

master:

  • 8b6d1ab ipa-kdb: support subordinate/superior UPN suffixes

ipa-4-8:

  • 1f0702b ipa-kdb: support subordinate/superior UPN suffixes

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

6 months ago

master:

  • 442038c ipatests: support subordinate upn suffixes
  • 0da6a57 ad trust: accept subordinate domains of the forest trust root

ipa-4-8:

  • d5cca83 ipatests: support subordinate upn suffixes
  • 6b224e5 ad trust: accept subordinate domains of the forest trust root

ipa-4-9:

  • 7e605e9 ipatests: support subordinate upn suffixes
  • 381cc5e ad trust: accept subordinate domains of the forest trust root

master:

  • 4a1cb7e ipatests: rewrite test for requests routing to subordinate suffixes

ipa-4-9:

  • 0d9f988 ipatests: rewrite test for requests routing to subordinate suffixes

ipa-4-8:

  • 1582da7 ipatests: rewrite test for requests routing to subordinate suffixes

Login to comment on this ticket.

Metadata